Skip to main content

Open-source components are a security risk, Veracode says

Widespread use of open-source, or third-party components is creating a lot of unmanaged risk among businesses, according to a new report by Veracode. Its State of Software Security Report (SoSS) says that 97 per cent of Java applications have at least one component with a known vulnerability.  

Almost two thirds (60 per cent) of applications fail security policies on first scan, but the top 25 per cent of organisations fix almost 70 per cent more vulnerabilities than the average company.  Developers with more power are faster and more efficient – those that have sandbox technology at their disposal have shown double the speed in fix rates. Also, adding security to DevOps processes, something Veracode dubs DevSecOps, yields great results for organisations, reducing risk without slowing software development down.  

“The prevalent use of open source components in software development is creating unmanaged, systemic risks across companies and industries,” said Brian Fitzgerald, CMO, Veracode. 

“Today, a cybercriminal can focus on a single vulnerability in one component to exploit millions of applications. Software components are used by every industry and for software of all kinds, and given our dependence on applications, the ease at millions of applications can be breached has the potential to create havoc in our digital infrastructure and economy.” 

“The ability to frequently test applications is going to be crucial to the success of secure development initiatives at companies with continuous development and deployment models like those found in DevOps environments,” said Chris Wysopal, co-founder and CTO, Veracode.  

The full report can be found on this link (opens in new tab)

Image source: Shutterstock/McIek

Sead Fadilpašić is a freelance tech writer and journalist with more than 17 years experience writing technology-focussed news, blogs, whitepapers, reviews, and ebooks. And his work has featured in online media outlets from all over the world, including Al Jazeera Balkans (where he was a Multimedia Journalist), Crypto News, TechRadar Pro, and IT Pro Portal, where he has written news and features for over five years. Sead's experience also includes writing for inbound marketing, where he creates technology-based content for clients from London to Singapore. Sead is a HubSpot-certified content creator.