Many commercial software and web applications used by organizations have critical vulnerabilities in their open-source components, a new vendor survey warns.
“Buying commercial off-the-shelf software applications is not a risk-free proposition,” says the study sponsored by GrammaTech Inc., which sells software assurance tools. “For multiple reasons, vendors surreptitiously use open-source components in their applications, including components that contain significant levels of vulnerability.”
Using one of GrammaTech’s tools, the company scanned a number of web browsers, email clients, file sharing cloud storage clients, online meeting clients and messaging clients with open source components. Those components were then analyzed for known vulnerabilities, which were scored based on the number and seriousness of the bugs. From this a weighted score was created.
Among the findings:
-on average, 30 per cent of all open-source components contained at least one vulnerability or security flaw that has been assigned a CVE (Common Vulnerabilities and Exposures) identifier;
–applications in the online meetings and email client categories contained the highest average weighting of vulnerabilities;
–all but three of the applications studied included at least one critical vulnerability with a 10.0 CVSS (Common Vulnerability Scoring System) score, which is the highest;
–newer versions of the same open-source components were not always more secure, either as measured by the number of vulnerable components used or the weighted score of vulnerabilities in each component.
Analysis of the data was done by Osterman Research. “Commercial off-the-shelf software applications often include open-source components, many of which contain a range of known vulnerabilities that can be exploited by malware, yet vendors often do not disclose their presence,” said Michael Sampson, senior analyst at Osterman Research. “This lack of visibility into deployed and to be deployed applications is essentially a time bomb that increases an enterprise’s security risk, attack surface and potential for compromise by cybercriminals.”
Top vulnerable components
Of the components identified across the applications in the study, two versions of the Firefox open-source component (not the browser itself) contributed 75.8 per cent of the CVEs found. In second place, 16 versions of the OpenSSL libraries used for secure website communications had a combined 9.6 per cent of the CVEs, and two versions of Libav were 8.3 per cent of the CVEs. According to Wikipedia, Libav is an abandoned free software project which produces libraries and programs for handling multimedia data.
The percentages were derived by counting the number of vulnerabilities in each component when a component is used in an application. Multiple instances of the same component in a single application were counted only once.
“The immediate conclusion is that urgently addressing the use of versions of the Firefox, OpenSSL, and Libav open-source components with vulnerabilities would make a significant contribution to decreasing the security risks of using open-source software across the five product categories examined for this report,” said Osterman.
“Any open-source component that includes a high or critical vulnerability should not be ignored and must be dealt with urgently to reduce risk,” the report adds.
Examining an application’s open-source components for vulnerabilities is one way organizations can make buying and risk assessments, the report argues.
The report is available here. Registration required.