Enterprise applications that include open source or third party components will have an average of 24 known vulnerabilities that can leave companies open to being hit by the next Heartbleed or Shellshock.
Veracode, the enterprise security experts, surveyed 5,300 enterprise applications and found that all are leaving themselves open to a range of threats such as data breaches, malware injections and denial of service attacks due to the less-stringent checks on third party and open source components.
“While the sheer number of vulnerabilities per application we found is surprising, what is truly alarming is that we also identified an average of eight “Very High Severity” or “High Severity” vulnerabilities per application caused by open source and third-party components,” said Phil Neray, Veracode’s VP of enterprise security strategy.
Addressing the risk in the software supply chain is already being handled by industry groups such as OWASP, PCI and FS-ISAC, which all require policies and controls to cover the use of components. The only problem with this is that global enterprises with different code repositories can find it exceedingly difficult to pinpoint the applications where a “risky component” from an open source or third party is being used.
This is further compounded by the fact third party and open source components don’t undergo the same level of security checks of custom developed software thus throwing them open to vulnerabilities.
To fight the amount of vulnerabilities present, Veracode has implemented a new automated service for enterprises that allows them to find exactly where the flaws exist and the team members that use them, including outsourcers. Companies can use the service right away as it has backwards compatibility with all software they’ve already uploaded for binary static analysis [SAST].
Veracode claims that the new solution means it is the only vendor to offer a united platform for SAST, DAST and software composition analysis with the cloud-based platform also offering centralised policies and KPIs to measure security posture consistently across units and teams.