Open source and third party code components introduce an average of 24 vulnerabilities into each web application, exposing firms to a variety of serious threats including denial of service and malware injection, according to Veracode.
The application security vendor analyzed over 5,300 enterprise apps uploaded to its platform over the past two months and found 24 vulnerabilities in each. More worrying still, each app contained on average eight “very high severity” or “high severity” vulnerabilities.
The practice of incorporating reusable and pre-built components from third parties – often open source – has become commonplace.
However, the problem lies in the fact that these components are not subject to the same strict code vetting as internally or custom-developed software, Veracode claimed.
Although groups such as OWASP and PCI have drawn up policies and controls governing the use of components, organizations often don’t have the kind of visibility necessary to spot all the apps they’re using which might contain an insecure component.
There’s no satisfactory alternative to using such third party components, so continuous auditing is key to minimize risk, Veracode CTO Chris Wysopal told Infosecurity.
“Veracode recommends using reusable components as they increase the velocity of delivering software,” he explained.
“There is a small cost to this great benefit. It is monitoring those reusable components for newly discovered, publicly known vulnerabilities and being able to update/patch those components in a timely way.”
Fortunately, the recent publicity around the Heartbleed and Shellshock vulnerabilities – which were hidden but in widely used code – has helped to force a change in attitude to code flaws in software.
“Those widespread vulnerabilities have woken the security community up for the need to pay more attention to open source use when developing software and to monitor that usage for newly discovered vulnerabilities,” Wysopal argued.
“It has also caused the security community to realise that some widely used components may have high impact vulnerabilities, and that it would be worthwhile to fund code review of those components so the vulnerabilities can be found before black hat hackers find them.”