Open-source components are a security risk, Veracode says

Widespread use of open-source, or third-party components is creating a lot of unmanaged risk among businesses, according to a new report by Veracode.

Widespread use of open-source, or third-party components is creating a lot of unmanaged risk among businesses, according to a new report by Veracode. Its State of Software Security Report (SoSS) says that 97 per cent of Java applications have at least one component with a known vulnerability.  

Almost two thirds (60 per cent) of applications fail security policies on first scan, but the top 25 per cent of organisations fix almost 70 per cent more vulnerabilities than the average company.  Developers with more power are faster and more efficient – those that have sandbox technology at their disposal have shown double the speed in fix rates. Also, adding security to DevOps processes, something Veracode dubs DevSecOps, yields great results for organisations, reducing risk without slowing software development down.  

“The prevalent use of open source components in software development is creating unmanaged, systemic risks across companies and industries,” said Brian Fitzgerald, CMO, Veracode. 

“Today, a cybercriminal can focus on a single vulnerability in one component to exploit millions of applications. Software components are used by every industry and for software of all kinds, and given our dependence on applications, the ease at millions of applications can be breached has the potential to create havoc in our digital infrastructure and economy.” 

“The ability to frequently test applications is going to be crucial to the success of secure development initiatives at companies with continuous development and deployment models like those found in DevOps environments,” said Chris Wysopal, co-founder and CTO, Veracode.  

The full report can be found on this link

Image source: Shutterstock/McIek