Open source components creating 'systematic risks', claims Veracode

Not just open source: Java is riddled with problems too

Security company Veracode has claimed that a combination of open source software and third-party components is creating a rising tide of unmanaged, systemic risks in businesses and other organisations across the world.

On top of that it has also warned that almost all Java applications are blighted with at least one problem too

The claims are made in Veracode's annual State of Software Security report, in which Java makes a regular appearance. However, the company asserted that first-party code generally improves, year on year, but that the same cannot be said of open source and third-party software.

This could cause problems for people and companies that do not carefully identify the software and components that they deploy.

"The prevalent use of open source components in software development is creating unmanaged, systemic risks across companies and industries," said Brian Fitzgerald, chief marketing officer at Veracode.

"Today, a cyber criminal can focus on a single vulnerability in one component to exploit millions of applications. Software components are used by every industry and for software of all kinds.

"Given our dependence on applications, the ease with which millions of applications can be breached has the potential to create havoc in our digital infrastructure and economy."

The short version is that more careful consideration should be given to the security of any software project or system. Judging by Veracode's results, they really aren't.

The company found that 97 per cent of Java apps have at least one component with a known vulnerability, and that 60 per cent of all applications fail on security policies on a first scan.

Perhaps not news is the finding that those places where development is sandboxed prior to assurance testing are likely to be better at security than those that are not. Also worth noting is that security tends to be better when training and remediation coaching is in place.

"The ability to frequently test applications is going to be crucial to the success of secure development initiatives at companies with continuous development and deployment models like those found in DevOps environments," added Chris Wysopal, co-founder and chief technology officer at Veracode.

"Our platform data shows that more companies are starting to test applications multiple times throughout the development lifecycle. The average number of security tests per app was seven, and some apps were scanned 700 to 800 times in an 18-month period.

"We are encouraged by this information because it suggests that companies are more deeply embedding security into their software development processes."