Open source code libraries seen as rife with vulnerabilities

By , Network World |  Security

A study of how 31 popular open-source code libraries were downloaded over the past 12 months found that more than a third of the 1,261 versions of these libraries had a known vulnerability and about a quarter of the downloads were tainted.

The study was undertaken by Aspect Security, which evaluates software for vulnerabilities, with Sonatype, a firm that provides a Central Repository housing more than 300,000 libraries for downloading open-source components and gets 4 billion requests per year.

READ: Open source group urges EU parliament to reject Microsoft 'bribe'

"Increasingly over the past few years, applications are being constructed out of libraries," says Jeff Williams, CEO of Aspect Security, referring to "The Unfortunate Reality of Insecure Libraries" study. Open-source communities have done little to provide a clear way to spotlight code found to have vulnerabilities or identify how to remedy it when a fix is even made available, he says.

"There's no notification infrastructure at all," says Williams. "We want to shed light on this problem."

He adds that Aspect and Sonatype are mulling how it might be possible to improve the situation overall.

According to the study, researchers at Aspect analyzed 113 million software downloads made over 12 months from the Central Repository of 31 popular Java frameworks and security libraries (Aspect says one basis for the selection of libraries were those being used by its customers). Researchers found:

- 19.8 million (26%) of the library downloads have known vulnerabilities.

- The most downloaded vulnerable libraries were Google Web Toolkit (GWT); Apache Xerces; Spring MVC; and Struts 1.x. (The other libraries examined were: Apache CXF; Hibernate; Java Servlet; Log4j; Apache Velocity; Spring Security; Apache Axis; BouncyCastle; Apache Commons; Tiles; Struts2; Wicket; Java Server Pages; Lift; Hibernate Validator; Java Server Faces; Tapestry; Apache Santuario; JAX-WS; Grails; Jasypt; Apache Shiro; Stripes; AntiSamy; ESAPI; HDIV and JBoss Seam.)

Security libraries are slightly more likely to have a known vulnerability than frameworks, the study says. "Today's applications commonly use 30 or more libraries, which can compromise up to 80% of the code in an application," according to the study.

The types of vulnerabilities found in open source code libraries vary widely.


Originally published on Network World |  Click here to read the original story.
Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question
randomness