Open source and third-party components expose 'significant risk'
The ubiquity of open source and third-party components in web-based applications poses “significant risk” according to a report released by Veracode. Analysing data collected for two months from more than 5,000 enterprise applications, the study determined that such components allow an average of twenty-four “known vulnerabilities” into each web application. In turn, these vulnerabilities lead the way for exposure to substantial threats, including breaches, malware and DDoS attacks.
With as many as 95 percent of IT organisations projected to incorporate some aspect of pre-built software in their mission-critical IT solutions by the end of this year, opportunities for malicious activity have potential to run rampant without regulation. This information should get special consideration within the online financial sector where, according to the FS-ISAC, “the majority of internal software created by financial services involves acquiring open source components and libraries to augment custom-developed software.”
The crucial element for IT security professionals to keep in mind is that the majority of third-party and open source components do not receive a thorough security screening when compared to custom-developed software. The report points out that “it can be difficult for global enterprises with multiple code repositories to pinpoint all the applications where a risky component is used,” thus exposing “countless” applications to attack with each new vulnerability that comes along.
“The data suggests that virtually all applications have at least one critical vulnerability caused by reusable components,” Phil Neray, Veracode's VP of enterprise security strategy, commented on the company's blog. “This tells us we can significantly reduce enterprise risk by continuously auditing our customers' application portfolios for the presence of risky components.”