Many Commercial Software Projects Contain Older, Vulnerable Open-Source Code

More than one-fifth contain older and less secure versions of open-source code, new study finds

A study of nearly 3,000 commercial software projects found that some 23 percent of them contain open-source components with security flaws.
White Source Software also found that some 98.7 percent of those vulnerable open-source libraries were not the most up-to-date versions. Rami Sass, CEO of White Source, says thats because theres typically a disconnect between the open-source community and the developers who adopt their code in their software projects.
Developers dont have a good way to keep track and in touch with the work the open-source community members do and the patches and security issues they track, Sass says. The chances [are better] that developers hear about [open-source] security vulnerabilities in their projects only if it comes out in the press. Otherwise, theyre not going to go out and look.
White Source studied open-source library information from various commercial projects as well as an index of known vulnerabilities to gather the data.
Open-source software increasingly is being scrutinized for vulnerabilities, and security experts have been warning enterprises to ensure they are using the most updated versions of open-source libraries. An estimated 80 to 90 percent of custom software uses open-source libraries.
The FS-ISAC (Financial Services Information Sharing and Analysis Center) last month
proposed a series of basic security controls
for ensuring the security of third-party software used by financial services firms, including policy management for open-source software libraries and components. The goal is to help financial firms ensure their developers are adopting the most current and secure versions of open-source code.
White Sources Sass says open-source software is typically secure. Open-source communities are very diligent and go through a lot of trouble fixing and identifying problems. The real issue is the disconnect between that community and its end users, he says. Many organizations who build their apps with open-source code dont keep track of updates or patches, for example, he says.
The most common open-source security flaws found in the study were
CVE-2011-2730
, a configuration flaw in the Spring Framework;
CVE-2012-0213
, a resource management error in Apache;
CVE-2011-2894
, a permissions, privileges, and access control flaw in Spring;
CVE-2009-2625
, a permissions, privileges, and access control flaw in Apache Xerces2; and
CVE-2013-0248
, a permissions, privileges, and access control flaw in Apache Commons FileUpload.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Many Commercial Software Projects Contain Older, Vulnerable Open-Source Code