Flaws lurking in open source code may lead to a new Heartbleed
Application security testing provider Veracode has discovered that after an initial scan, seven in ten applications contain a security flaw in an open source library.
The company’s new research highlights how using open source can introduce flaws, increase risk and add to security debt. To compile its new State of Software Security (SOSS): Open Source Edition report, Veracode analyzed the component open source libraries across its platform database of 85,000 applications which account for 351,000 unique external libraries.
Almost all modern applications and even those that are sold commercially are built using some open source components. However, a single flaw in one library will cascade to all applications that leverage that code. In a press release, chief research officer at Veracode, Chris Eng explained how using open source libraries can expand an application’s attack surface, saying:
“Open source software has a surprising variety of flaws. An application’s attack surface is not limited to its own code and the code of explicitly included libraries, because those libraries have their own dependencies. In reality, developers are introducing much more code, but if they are aware and apply fixes appropriately, they can reduce risk exposure.”
Open source libraries
According to Veracode, commonly included libraries are present in over 75 percent of applications for each programming language. The company’s research also found that flawed libraries end up in code indirectly as 47 percent of them found in applications are transitive and not pulled in directly by developers but by upstream libraries.
Thankfully though, library-introduced flaws in most applications can be fixed with only a minor version update as major library upgrades are not usually required. However, developers can’t rely on CVEs (Common Vulnerabilities and Exposures) to understand library flaws as not all libraries have them. For example, more than 61 percent of flawed libraries in JavaScript don’t have corresponding CVEs.
The report also revealed that some programming language ecosystems tend to pull in many more transitive dependencies than others. In more than 80 percent of JavaScript, Ruby and PHP applications, the majority of libraries are transitive dependencies.
Programming language selection also plays a factor in both terms of the size of the ecosystem and in the prevalence of flaws in those ecosystems. For instance, including any given PHP library has a greater than 50 percent chance of bringing a security flaw along with it.
Of the OWASP Top Ten flaws, weaknesses around access control are the most common and represent over 25 percent of all flaws. Cross-Site Scripting (XSS) is the most common vulnerability category found in open source libraries (30%) followed by insecure deserialization (23.5%) and broken access control (20.3%).
Application security testing provider Veracode has discovered that after an initial scan, seven in ten applications contain a security flaw in an open source library. The company’s new research highlights how using open source can introduce flaws, increase risk and add to security debt. To compile its new State of…
