Open-Source Software Brings Bugs To Web Applications

  /     /     /  
Publicated : 22/11/2024   Category : security


Open-Source Software Brings Bugs To Web Applications


An average of eight severe security flaws from open-source and third-party code can be found in each web application, according to new findings from Veracode.



If the Heartbleed and Shellshock vulnerability scares didnt drive home the increasing risk that open-source software poses to todays applications, consider this: Open-source and third-party code brings an average of 24 known security bugs to every web application, according to new data.
Open-source and third-party software components also introduced an average of eight
very high severity
or high severity security flaws to applications, according to Veracode, which today released findings from an analysis it conducted of more than 5,300 enterprise web applications uploaded to its code-scanning service over the past two months.
The use of open source has increased heavily over time. Enterprises have become more comfortable using it, says Chris Wysopal, CTO at Veracode. At the same time, the researcher community and attacker communities have woken up to this, too… Thats why youre seeing Heartbleed and Shellshock, because people are looking at it and scrutinizing it. In the last year or two, all that code has been reviewed and made better. But its probably only going to get worse as researchers find more bugs and attackers start using them.
Dennis Chu, senior product manager at Coverity, which discovered
688 OWASP Top 10 security issues
in 37 open-source projects it recently studied, says open-source bugs are often the cause of stealthy attacks. A lot of times open-source bugs manifest themselves in very invisible security breaches.
Its not that open-source and third-party code is necessarily inherently more or less secure than commercial software, security experts say. Some open-source projects have been strapped for resources to keep the code clean -- leading to problems like Heartbleed, for instance -- but the real issue now is that more enterprises use open-source code, and researchers, as well as attackers, are taking notice.
John Pironti, president of IP Architects, says open-source code can be yet another attack surface for the bad guys. Businesses that decide to use open-source code should understand the weaknesses that could potentially be there and how it could affect in the future weaknesses you dont know about of your systems and your data, he told Dark Reading
in a video interview
this month.
Any sensitive or classified data may not be a good fit for an open source library, he said. If everybody can see the code, then if a motivated attacker wants to come and find you [via that code], they have the ability and intelligence to find ways to exploit that easier than if its closed code.
Were trying to reduce the surface area the adversary has to attack you, Pironti said. And the more they know about you, the more opportunities they can use to go after you.
Veracode found that remote code execution bugs were the most prominent type of flaw in the open-source components it studied in enterprise web applications. Why the large number of bugs in these enterprise applications? Wysopal says open-source code flaws are a blind spot in enterprise applications. The good news is that attackers traditionally go for the low-hanging fruit, he says, but that could change, given the wider adoption of open-source libraries.
In its research, Veracode used its new cloud-based software composition analysis service, which spots vulnerable components in applications and identifies where those components are used in various applications and systems.
Wysopal says the company had been working on the new service when Heartbleed hit and took it for a spin then. Heartbleed was the perfect example of a commonly used open-source component that had vulnerabilities. Veracode found that its customers on average had at least one application vulnerable to Heartbleed when the flaw was revealed. That surprised me. That seemed to be heavy usage of the vulnerable version of OpenSSL.

Last News

▸ Veritabile Defecte de Proiectare a Securitatii in Software -> Top 10 Software Security Design Flaws ◂
Discovered: 23/12/2024
Category: security

▸ Sony, XBox Targeted by DDoS Attacks, Hacktivist Threats ◂
Discovered: 23/12/2024
Category: security

▸ There are plenty of online tools for reporting bugs. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Open-Source Software Brings Bugs To Web Applications