An average of eight severe security flaws from open-source and third-party code can be found in each web application, according to new findings from Veracode.
If the Heartbleed and Shellshock vulnerability scares didn't drive home the increasing risk that open-source software poses to today's applications, consider this: Open-source and third-party code brings an average of 24 known security bugs to every web application, according to new data.
Open-source and third-party software components also introduced an average of eight "very high severity" or "high severity" security flaws to applications, according to Veracode, which today released findings from an analysis it conducted of more than 5,300 enterprise web applications uploaded to its code-scanning service over the past two months.
"The use of open source has increased heavily over time. Enterprises have become more comfortable using it," says Chris Wysopal, CTO at Veracode. "At the same time, the researcher community and attacker communities have woken up to this, too… That's why you're seeing Heartbleed and Shellshock, because people are looking at it and scrutinizing it. In the last year or two, all that code has been reviewed and made better. But it's probably only going to get worse" as researchers find more bugs and attackers start using them.
Dennis Chu, senior product manager at Coverity, which discovered 688 OWASP Top 10 security issues in 37 open-source projects it recently studied, says open-source bugs are often the cause of stealthy attacks. "A lot of times open-source bugs manifest themselves in very invisible security breaches."
It's not that open-source and third-party code is necessarily inherently more or less secure than commercial software, security experts say. Some open-source projects have been strapped for resources to keep the code clean -- leading to problems like Heartbleed, for instance -- but the real issue now is that more enterprises use open-source code, and researchers, as well as attackers, are taking notice.
Read More: http://www.darkreading.com/application-security/open-source-software-brings-bugs-to-web-applications/d/d-id/1316878?_mc=NL_DR_EDT_DR_weekly_20141023&cid=NL_DR_EDT_DR_weekly_20141023&elq=39da7f9fc52a4cd6ada82d9d5e34a2e9&elqCampaignId=9872
If the Heartbleed and Shellshock vulnerability scares didn't drive home the increasing risk that open-source software poses to today's applications, consider this: Open-source and third-party code brings an average of 24 known security bugs to every web application, according to new data.
Open-source and third-party software components also introduced an average of eight "very high severity" or "high severity" security flaws to applications, according to Veracode, which today released findings from an analysis it conducted of more than 5,300 enterprise web applications uploaded to its code-scanning service over the past two months.
"The use of open source has increased heavily over time. Enterprises have become more comfortable using it," says Chris Wysopal, CTO at Veracode. "At the same time, the researcher community and attacker communities have woken up to this, too… That's why you're seeing Heartbleed and Shellshock, because people are looking at it and scrutinizing it. In the last year or two, all that code has been reviewed and made better. But it's probably only going to get worse" as researchers find more bugs and attackers start using them.
Dennis Chu, senior product manager at Coverity, which discovered 688 OWASP Top 10 security issues in 37 open-source projects it recently studied, says open-source bugs are often the cause of stealthy attacks. "A lot of times open-source bugs manifest themselves in very invisible security breaches."
It's not that open-source and third-party code is necessarily inherently more or less secure than commercial software, security experts say. Some open-source projects have been strapped for resources to keep the code clean -- leading to problems like Heartbleed, for instance -- but the real issue now is that more enterprises use open-source code, and researchers, as well as attackers, are taking notice.
Read More: http://www.darkreading.com/application-security/open-source-software-brings-bugs-to-web-applications/d/d-id/1316878?_mc=NL_DR_EDT_DR_weekly_20141023&cid=NL_DR_EDT_DR_weekly_20141023&elq=39da7f9fc52a4cd6ada82d9d5e34a2e9&elqCampaignId=9872
