Many commercial software companies and enterprise in-house developers are churning out applications that are insecure by design due to the rapid and often uncontrolled use of open-source components.
Even worse, these software makers would not be able to tell which of their applications are affected by a known component flaw even if they wanted to because of poor inventory practices.
Last year, large software and financial services companies downloaded 240,757 components on average from one of the largest public repositories of open-source Java components. Over 15,000 of those components, or 7.5 percent, had known vulnerabilities, according to Sonatype, the company that manages the repository.
Sonatype runs the hosting infrastructure for the repository, which is known as the Central Repository, but does not police what goes in and out. That falls with the community of open source developers who contribute components to it, every one being in charge of their own creations. The Central Repository is the default repository for Apache Maven, SBT and other Java software building tools.
A separate analysis of the top 100 components downloaded in 2014 by 29 large financial services and technology companies revealed that those companies used an average of 27 different versions of each component. This means that most of them were using outdated, less functional and potentially vulnerable component versions in their applications, Sonatype said Tuesday in a report about the state of the software supply chain.
In one case, developers working for a financial services firm had downloaded, over the course of the year, 51 of the 58 versions available for the Spring application framework.
This is indicative of the poor software inventory practices in most companies that develop applications for their own use or for others. The problem is not new, but Sonatype's findings suggest that it is getting worse as the level and velocity of open-source component consumption increases.
Overall, the Central Repository was used by over 100,000 organizations and served 17.2 billion download requests in 2014, a third more than last year. The repository hosts 217,000 components that combined have over 830,000 versions.
There is a supply chain discipline to how companies from the various manufacturing industries source their components and track where they use them, that the software development industry has not yet embraced, said Joshua Corman, Sonatype's CTO. Software development companies have had the luxury of not having to worry about that for a long time, but their increased dependence on third-party code combined with increased focus from attackers has generated significant risk for the software and infrastructure we're all depending on, he said.
Sonatype has determined that over 6 percent of the download requests from the Central Repository in 2014 were for component versions that included known vulnerabilities and the company's review of over 1,500 applications showed that by the time they were developed and released each of them had an average of 24 severe or critical flaws inherited from their components.
Sign up for CIO Asia eNewsletters.