Vendors hiding open-source security flaws in commercial software

The use of open source components in commercial software is more common than even vendors are aware of and it's leaving customers open to unpatched flaws.

May the source be with you
May the source be with you

Commercial software is full of security vulnerabilities contained within the open source components of these applications, according to a new report.

A study carried out by Black Duck Software found that these flaws were often hidden from the customers that deployed this software on their infrastructure. The report, called “The State of Open Source Security in Commercial Applications” looked at 200 applications over six months. Around two-thirds (67 percent) of open source components had unpatched vulnerabilities.

Worryingly, these vulnerabilities were on average five years old and around 40 percent could be classed as “high severity”, with CVSS scores of seven or more.

Customers were only aware of less than half (45 percent) of the open source components in deployed software. On average, each application contained 105 open source components and 22 vulnerabilities.

"While many of these companies have internal security programmes and deploy security testing tools such as static and dynamic analysis, those tools are not effective at identifying the types of vulnerabilities disclosed every day in popular open source components," said Mike Pittenger, vice president of Security Strategy at Black Duck Software.

"More importantly, if a customer is not aware of all of the open source in use, they cannot defend against common attacks against known vulnerabilities in those components."

He added that the length of time vulnerabilities remained unpatched indicated that “organisations didn't know about the vulnerabilities, either because they didn't know the component was present, or had not checked public resources for vulnerability information”.

Fraser Kyne, regional SE director at Bromium, told SCMagazineUK.com that all software contains vulnerabilities and more software means more vulnerabilities.

“Developers are busy and fallible. Users are busy and gullible. These basic truths are never going to change. Identifying vulnerabilities and fixing them one by one is the proverbial ‘whack-a-mole' security plan,” he said.

“You can chase the problem in circles by trying to find and fix holes, or you can try something different and look to make your systems more robust to attack. Businesses have a choice. They can wait until something bad happens and then see if they're able to react to it. Or they can try to do something proactive about it.  Security executives have been conditioned by an apathetic market that they can't fix the problem, so they focus on dealing with the symptoms rather than the disease itself. But some business are doing something about it, and this will shine a light on those who are not.”

David Emm, principal security researcher at Kaspersky Lab, told SC that it is important to make sure that if employees are using the same device for business and personal data storage, there is an appropriate level of control over corporate applications that are running on employees' mobile devices.

“This means using a solution that provides ‘containerisation', separating personal and business data and helping to ensure that corporate data is secure at all times, even if the device is lost,” he said.