The study, the 'Unfortunate Reality of Insecure Libraries', found that many organizations use open source components as the building blocks for their applications but have zero visibility into whether the components they are using are secure, thereby exposing the organization to security risks.
For the study, researchers at Aspect Security analyzed data from the Central Repository – the industry’s principal venue for open source components – and a global survey conducted by Sonatype of 2,550 developers, architects, and industry experts.
The study highlighted an overlooked application security issue and gap in the software supply chain – the lack of an update notification infrastructure for open source components.
“The consumption of open source components with known security flaws is merely a symptom of a broader condition….The problem we exposed is that for much of the traditional open source infrastructure there is no vendor infrastructure to bridge critical gaps between innovation and consumption”, explained Wayne Jackson, chief executive officer of Sonatype.
“When these open source components are discovered to be flawed and fixed over time, there is no update and notification infrastructure that would inform the users of those components” about the security flaw or fix, Jackson told Infosecurity.
The report found that more than 80% of typical software applications are open source components and frameworks consumed in binary form.
Collectively, Global 500 organizations downloaded more than 2.8 million insecure open source components in one year, and Global 100 financial services firms alone downloaded more than 567,000 insecure components over the same period.
“The missing [security update] infrastructure, combined with the rapid consumption of open source, does put organizations that aren’t using sound practices at risk”, Jackson observed.
There were more than 46 million downloads of insecure versions of the 31 most popular open source security libraries and web frameworks, according to the report. Google Web Toolkit was downloaded 17.7 million times with known vulnerabilities. Other vulnerable libraries downloaded included Xerces, Spring MVC, and Struts 1.x.
The study found that one in three of the most popular components had older, vulnerable versions still being commonly downloaded, even when a newer version – with the security fix – was available.
At the same time, the report found that open source security libraries are roughly 20% more likely to have reported security vulnerabilities than other types of components. This is indicative of the effectiveness of broad community collaboration and active support.