Enterprise web application components raise security risks, finds Veracode

Open-source and third-party components introduce vulnerabilities into enterprise web applications, says code analysis company Veracode

Open-source and third-party components introduce an average 24 vulnerabilities into enterprise web applications, code analysis company Veracode has found.

The finding is based on the analysis of 5,300 enterprise web apps uploaded over two months to the company’s newly released software composition analysis service.

The code analysis revealed that many of the vulnerabilities introduced expose enterprises to significant cyber threats, such as data breaches, malware injections and denial of service (DoS) attacks.

A growing number of enterprises are at risk as they seek to accelerate digital innovation by incorporating re-usable, pre-built software components, often from open-source developers.

According to industry analysts, 95% of all IT organisations will use some element of open-source software in their mission-critical IT systems by 2015.

A report from the Financial Services Information Sharing and Analysis Center (FS-ISAC) says most internal software created by financial services firms involves the use of open-source components.

This is of particular concern in the light of the recent discovery of long-standing vulnerabilities in open-source software, such as Heartbleed, Shellshock and POODLE.  


Lax scrutiny

The problem is that most third-party and open-source components do not undergo the same level of security scrutiny as custom-developed software.

To address this risk in the software supply chain, industry groups such as OWASP, PCI and FS-ISAC now require explicit policies and controls to govern the use of components. However, it can be difficult for global enterprises with multiple code repositories to pinpoint all the applications where a risky component is used.

This leaves countless enterprise web and mobile applications at risk – especially once a vulnerability is disclosed publicly.

“While the sheer number of vulnerabilities per application we found is surprising, what is truly alarming is that we also identified an average of eight “very high severity” or “high severity” vulnerabilities per application, caused by open-source and third-party components,” said Phil Neray, Veracode’s vice-president of enterprise security strategy.

“The data suggests virtually all applications have at least one critical vulnerability caused by re-usable components. This tells us we can significantly reduce enterprise risk by continuously auditing our customers’ application portfolios for the presence of risky components," said Neray.

To capitalise on this need, Veracode’s automated service is designed to help enterprises identify applications with vulnerable components and determine where specific components are used across multiple development teams, including outsourcers.

Read more on Application security and coding requirements