Commercial software is full of security vulnerabilities from unpatched open source components developers use, according to a report Black Duck Software issued last week.
Software companies misjudge how much open source code their commercial products contain, the report says.
The report, titled “The State of Open Source Security in Commercial Applications,” is based on an analysis of 200 applications researchers viewed over the previous six months.
Ninety-five percent of applications include open source code components, and 67 percent of open source components had unpatched vulnerabilities, researchers found. Many of those software products are heavily used in enterprises today.
The companies thought they used less than 45 percent of open source code in their own software. Many were not aware of the vulnerability risks associated with the open source code they used.
“We knew this information anecdotally from past audits, but now we have empirical evidence to back that up,” said Brian Carter, director of strategic communications for Black Duck.
“We now know that people do not have a really good grasp on where all the open source is and how much they are using,” he told Linux Insider.
The analysis did not find relatively new vulnerabilities that caught researchers by surprise. Rather, many of the vulnerabilities had existed on average for five years.
About 40 percent of the vulnerabilities fell into the high-severity category based on their Common Vulnerability Scoring System, or CVSS, scores of 7 or more. Each application contained on average 105 open source components and 22 vulnerabilities.
CVSS is an open framework for determining the characteristics and severity of software vulnerabilities. Medium severity is assigned to software with a base CVSS score of 4.0 to 6.9. 3. High-severity vulnerabilities come with a CVSS base score of 7.0 to 10.0.
Security Report Summary
Ten percent of the audited applications contained components vulnerable to Heartbleed, a security vulnerability in the OpenSSL cryptography library widely used in the Transport Layer Security protocol.
SSL, or Secure Sockets Layer, is a security technology for encrypting links between Web servers and Web browsers.
The same ratio contained components vulnerable to Poodle. That vulnerability, Padding Oracle On Downgraded Legacy Encryption, is a man-in-the-middle exploit that takes advantage of Internet and security software clients’ fallback to SSL 3.0.
“The companies in this report, particularly those who continued to ship software that included versions of OpenSSL that were susceptible to Heartbleed 18 months after the bug was publicized, are living below the security poverty line,” said Emily Ratliff, senior director of infrastructure security at the Linux Foundation.
Black Duck anatomized the analysis results in the report. Thus, the names of specific software titles and the companies that deployed them are not identified.
“The audits are discreet,” said Carter. “This report is in no way dishonoring open source. It is really about the obligation of folks to do a better job managing and securing their open source.”
Open source software, unlike commercial software, has no Patch Tuesday. Nobody is automating any patching processes. Companies are on their own to patch the code, make the updates and do vulnerability management, said Carter.
“Companies who are not triaging known and tagged security vulnerabilities in open source components in their software are most likely not proactively looking for security vulnerabilities in their own code,” Ratliff told LinuxInsider.
As an industry, software companies need to get much better at security hygiene, she said. They need to focus on secure development practices, vulnerability handling and disclosure, and patching known vulnerabilities quickly.
Open Source Management Needed
Companies use open source because it is free and lowers their development costs. It allows their internal developers to do higher-order tasks and gets them to market faster, according to Carter.
Perhaps the most significant indication of security concerns involving commonly used open source components is that well-publicized vulnerabilities remain unpatched, he noted.
Because companies are getting open source from so many places, they have lost control over its integrity. That leaves them exposed to vulnerabilities that already are publicized in various databases, Carter added.
“They do not have a good automated way of knowing where their code is. This lack of visibility leaves many software developers from being able to stay on top of their vulnerabilities,” he said.
Turning a Corner
The report, written by Mike Pittenger, Black Duck’s vice president of security strategy, is based on audits of customers’ software. The audits usually are requested when a company is involved in a merger or acquisition situation.
Typically, the audits include commercial software that has been on the market for a number of years. The report is the first the company released as part of an expanded role begun in 2014 that attempts to alert software companies of specific vulnerabilities and the location of open source code in their products, Carter said.
“We have never done an aggregated report like this,” he said. “We have talked internally about what they generally see in the individual analysis they conduct of customers’ software. This is the first time Black Duck put the pieces together and released the findings.”
The report focuses on companies in all industries that came to Black Duck as part of a merger or acquisition situation to vet the software involved. It plans to issue reports on the state of open source about twice per year. The goal is to make software developers more aware of their software management needs, Carter said.