Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Software flaws reach all-time high with open source a growing worry

John E Dunn | March 30, 2015
Most applications are patched by vendors on day one. But a dangerous minority - especially third-party open source - take a lot longer

As for the anxiety-ridden topic of zero days, once rare these are now a major aspect of any and every vulnerability report, rising from 14 in 2013 to 25 last year, almost all in the top 25 most popular applications. This underlines the importance of rapid patching.

Secunia touches on the issue of open source flaws, timely given that several high-profile issues were discovered during 2014 in bits of software nobody had paid much attention to until then.

According to Secunia, there is a major problem here because even large vendors don't seem to be reacting rapidly to these issues. Unlike closed source software that has gone through years of pain, there seems to be a degree of complacency among some vendors.

Again, Secunia doesn't name names but one vendor took 160 days to issue a patch for the one OpenSSL flaw with a number of others taking weeks to address Heartbleed and Shellshock. To be clear this isn't an issue to do with open source software per se so much as the third parties using it inside their products.

"We find that there is no general pattern to response times. Consequently, organisations can not presume to be able to predict which vendors are dependable and quick to react, when vulnerabilities are discovered in products bundled with open source libraries," said Lindgaard.


Previous Page  1  2 

Sign up for CIO Asia eNewsletters.