Enterprise web application components raise security risks, finds Veracode

Open-source and third-party components introduce vulnerabilities into enterprise web applications, says code analysis company Veracode

Open-source and third-party components introduce an average 24 vulnerabilities into enterprise web applications, code analysis company Veracode has found.

The finding is based on the analysis of 5,300 enterprise web apps uploaded over two months to the company’s newly released software composition analysis service.

The code analysis revealed that many of the vulnerabilities introduced expose enterprises to significant cyber threats, such as data breaches, malware injections and denial of service (DoS) attacks.

A growing number of enterprises are at risk as they seek to accelerate digital innovation by incorporating re-usable, pre-built software components, often from open-source developers.

According to industry analysts, 95% of all IT organisations will use some element of open-source software in their mission-critical IT systems by 2015.

A report from the Financial Services Information Sharing and Analysis Center (FS-ISAC) says most internal software created by financial services firms involves the use of open-source components.

This is of particular concern in the light of the recent discovery of long-standing vulnerabilities in open-source software, such as Heartbleed, Shellshock and Poodle.  


Lax scrutiny

The problem is that most third-party and open-source components do not undergo the same level of security scrutiny as custom-developed software.

To address this risk in the software supply chain, industry groups such as OWASP, PCI and FS-ISAC now require explicit policies and controls to govern the use of components. However, it can be difficult for global enterprises with multiple code repositories to pinpoint all the applications where a risky component is used.

This leaves countless enterprise web and mobile applications at risk – especially once a vulnerability is disclosed publicly.

“While the sheer number of vulnerabilities per application we found is surprising, what is truly alarming is that we also identified an average of eight “very high severity” or “high severity” vulnerabilities per application, caused by open-source and third-party components,” said Phil Neray, Veracode’s vice-president of enterprise security strategy.

“The data suggests virtually all applications have at least one critical vulnerability caused by re-usable components. This tells us we can significantly reduce enterprise risk by continuously auditing our customers’ application portfolios for the presence of risky components," said Neray.

To capitalise on this need, Veracode’s automated service is designed to help enterprises identify applications with vulnerable components and determine where specific components are used across multiple development teams, including outsourcers.

Read more on Application security and coding requirements

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

First a disclaimer: I am co-founder and chairman of WhiteSource. We provide a service that helps development teams manage their use of open source components, and among other things alerts them on security vulnerabilities.

While I am sure that was not the intention, the article comes across as scaring folks about using open source components. The fact of the matter is that open source has no more, nor less, bugs and security vulnerabilities than your average commercial software. Furthermore, open source projects are usually patched a lot faster than any commercial product.

Open source makes software (and I mean commercial one) a lot cheaper and accessible, so its use shall be encouraged. Clearly, all that one needs to make sure is to MANAGE the use of open source with due care. In a way, just like you will do for your own code.

Furthermore, I would argue that it is the duty of software vendors, not enterprise customers, to make sure their open source components are in good shape (patched for bugs and security vulnerabilities). Of course enterprise customers want to make sure their vendors are doing their job and may hire a company like Veracode to do so.

So to sum up, the responsibility shall be as follows:
* Open source communities shall check and patch for vulnerabilities. They do a pretty good job at it already.
* Software vendors shall make sure they know about security vulnerabilities, and make sure that they use the patched version when available. A service like WhiteSource makes this easy.
* Enterprise customers shall verify that software vendors do their job. This can be done economically if each software vendor presents some sort of certification, rather than have the test done by each of their customers.

I hope this helps reduce some of the negative hype around the use of open source components. Open source is critical to our progress, and all you need to do is manage it properly (just like you would do for your own code). You can do this effortlessly with the right service.


One more data point, from a WhiteSource study of about a year ago. Looking at 3000 software projects, 24% contained a security vulnerability in one of their open source components. BUT, and this is the important part, 98% were fixed in the open source project. So all the software vendor had to do was to patch with the new version and that's it.