Skip to main content

Commercial apps with open source code are full of holes

“If you’re using open source, chances are you are likely including vulnerabilities known to the world at large.” This is a quote taken from the latest open source security report, released by software company Black Duck.

The company analysed more than 200 applications that are based on, or partially use, open source material, over a six-month period. The results are that 67 per cent of them have vulnerabilities, and every application has at least five vulnerable components.

It was found that more than 10 per cent have the Heartbleed vulnerability, and almost 10 per cent POODLE. LogJam and FREAK were present at almost five per cent.

“Vulnerabilities in open source are particularly attractive to attackers. The ubiquity of the affected components, the public disclosure of vulnerabilities (often with sample exploits) and access to the source code make the attacker’s job simpler,” the report says.

“In addition, without a traditional support model, users are typically unaware of new updates and vulnerabilities.”

The report also encourages everyone to keep using open source, and not shy away from it because of these vulnerabilities. Visibility into the included components is required, it was said.

“This would provide the ability to switch to newer (or at least less vulnerable) versions of the same components.”

But perhaps the most disturbing part of the research is how old these vulnerabilities are. On average, they had been disclosed more than five years before the analysis. Organisations didn’t know about them either because they didn’t know the component was present, or because they didn’t check for vulnerability information.

The full report can be found on this link.

Image Credit: Bildagentur Zoonar GmbH / Shutterstock

Sead Fadilpašić

Sead is a freelance journalist with more than 15 years of experience in writing various types of content, from blogs, whitepapers, and reviews to ebooks, and many more, across sites including Al Jazeera Balkans, TechRadar Pro, IT Pro Portal, and CryptoNews.