Nine in ten biz applications harbor out-of-date, unsupported, insecure open-source code, study shows:
Ninety-one per cent of commercial applications include outdated or abandoned open source components, underscoring the potential vulnerability of organizations using untended code, according to a software review.
Synopsys, a California-based design automation biz, conducted an audit of 1,253 commercial codebases in 17 industries for its 2020 Open Source Security and Risk Analysis report.
It found that almost all (99 per cent) of the codebases examined have at least one open source component and that 70 per cent of the code overall is open source. That's about twice as much as the company's 2015 report, which found only 36 per cent of audited code was open source.
Good news then, open source code has become more important to organizations, but its risks have followed, exemplified by vulnerabilities like the 2014 Heartbleed memory disclosure bug and Apache Struts flaws identified in 2017 and 2018.
Ninety-one percent of the audited applications had components that are either four years out of date or have exhibited no active development for two years. In 2019 – the time-period covered by the 2020 report – the percentage of codebases containing vulnerable components rose to 75 per cent, up from 60 per cent in 2018.
The percentage of applications afflicted with high-risk flaws reached 49 per cent in 2019, up from 40 per cent in 2018.
[Ed Note - The company that produced this report, Synopsis, is a vendor in this space and is not a disinterested party.]
(Score: 0) by Anonymous Coward on Sunday May 17 2020, @10:11AM (1 child)
I agree with what you are saying *except*, the problem is that some don't even perform the most cursory of code audits. Or, security audits on methods/codeflow.
So sure, some things are used in such a way, that it is irrelevant what its age is. Yet... I often get people defending that act, *after* they've looked at the code, and only then cry "See! It *is* safe, I was right!".
That's not secure, because they very method of usage is akin to just hoping someone locked the front door .. or, even has a lock ON the front door. Checking when someone asks, isn't validating one is right...
And yeah.. I know one can pick apart statements all over the place, so I'm not claiming you meant this. Or even missed this. Just.. felt it had to be said.
(Score: 2) by MostCynical on Sunday May 17 2020, @11:57AM
The most secure program of all time was placed in a special folder, on web server, secured with the password "password".
So now it isn't.
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex