Open-source components in commercial software likely have vulnerabilities: Report

Many commercial software and web applications used by organizations have critical vulnerabilities in their open-source components, a new vendor survey warns.

“Buying commercial off-the-shelf software applications is not a risk-free proposition,” says the study sponsored by GrammaTech Inc., which sells software assurance tools. “For multiple reasons, vendors surreptitiously use open-source components in their applications, including components that contain significant levels of vulnerability.”

Using one of GrammaTech’s tools, the company scanned a number of web browsers, email clients, file sharing cloud storage clients, online meeting clients and messaging clients with open source components. Those components were then analyzed for known vulnerabilities, which were scored based on the number and seriousness of the bugs. From this a weighted score was created.

Among the findings:

-on average, 30 per cent of all open-source components contained at least one vulnerability or security flaw that has been assigned a CVE (Common Vulnerabilities and Exposures) identifier;

–applications in the online meetings and email client categories contained the highest average weighting of vulnerabilities;

–all but three of the applications studied included at least one critical vulnerability with a 10.0 CVSS (Common Vulnerability Scoring System) score, which is the highest;

–newer versions of the same open-source components were not always more secure, either as measured by the number of vulnerable components used or the weighted score of vulnerabilities in each component.

Analysis of the data was done by Osterman Research. “Commercial off-the-shelf software applications often include open-source components, many of which contain a range of known vulnerabilities that can be exploited by malware, yet vendors often do not disclose their presence,” said Michael Sampson, senior analyst at Osterman Research. “This lack of visibility into deployed and to be deployed applications is essentially a time bomb that increases an enterprise’s security risk, attack surface and potential for compromise by cybercriminals.”

Top vulnerable components

Of the components identified across the applications in the study, two versions of the Firefox open-source component (not the browser itself) contributed 75.8 per cent of the CVEs found. In second place, 16 versions of the OpenSSL libraries used for secure website communications had a combined 9.6 per cent of the CVEs, and two versions of Libav were 8.3 per cent of the CVEs. According to Wikipedia, Libav is an abandoned free software project which produces libraries and programs for handling multimedia data.

The percentages were derived by counting the number of vulnerabilities in each component when a component is used in an application. Multiple instances of the same component in a single application were counted only once.

“The immediate conclusion is that urgently addressing the use of versions of the Firefox, OpenSSL, and Libav open-source components with vulnerabilities would make a significant contribution to decreasing the security risks of using open-source software across the five product categories examined for this report,” said Osterman.

“Any open-source component that includes a high or critical vulnerability should not be ignored and must be dealt with urgently to reduce risk,” the report adds.

Examining an application’s open-source components for vulnerabilities is one way organizations can make buying and risk assessments, the report argues.

The report is available here. Registration required.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Article

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows that as the demand for skilled workers...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now