The most popular and comprehensive Open Source ECM platform
Is Open Source code vulnerable? Open Source code is very widely used. Typically software code bases consist of anywhere from 75 percent to 90 percent of open source. The problem is that those dependencies are usually black boxes that developers have not had the time to carefully inspect. Developers typically forget about which open source utilities they’ve used and move on to their next task or project. They also seldom have the time to monitor updates of the open source components that they’re using in their projects. That’s particularly troubling when missed updates contain security fixes, and without those fixes, businesses unwittingly become exposed to vulnerabilities.
Chris Wysopal, CTO of Veracode, said that “the universal use of components in application development means that when a single vulnerability in a single component is disclosed, that vulnerability now has the potential to impact thousands of applications – making many of them breachable with a single exploit.”.
Wysopal said “development teams aren’t going to stop using components – nor should they. But when an exploit becomes available, time is of the essence. Open source and third party components aren’t necessarily less secure than code you develop in-house, but keeping an up-to-date inventory of what versions of a component you are using. We’ve now seen quite a few breaches as a result of vulnerable components and unless companies start taking this threat more seriously, and using tools to monitor component usage, I predict the problem will intensify.”
GitHub, for example, recently scanned about one half million open source repositories that they host and uncovered more than four million vulnerabilities! The repository owners were notified, and within the next two months, 450,000 of those vulnerabilities were resolved. GitHub is now scanning all new repository updates to check for security problems and update their owners if any problems are found.