Watch out for vulnerable open-source components hidden in commercial applications, a security firm warns.
The security of open-source components is a blind spot that's leaving businesses exposed to dozens of very old bugs, security firm Black Duck Software contends in a new report, based on open-source security work it's conducted.
IBM recently tapped Black Duck Software for its IBM Security AppScan to scan and map out potentially vulnerable open-source components in use.
The report summarizes a review of 200 commercial applications it reviewed for customers in the six months to March.
The report highlights the challenge that many companies have in discovering which open-source components are present. The firm finds that the average commercial application consists of over 100 open-source components. However, at the beginning of an audit customers are only aware of about half of these.
This lack of visibility has implications for patching and raises the chances for old bugs to remain present on systems for lengthy periods.
Indeed, the report finds that 67 percent of commercial applications contain vulnerable open-source components and that each application, on average, has five vulnerable components that contain multiple individual vulnerabilities. According to the firm's numbers, each application has 22.5 individual vulnerabilities across different components.
The discovery problem is also evident in the age of the bugs it found, which on average, at the time it conducted a scan, were more than five years old.
"This indicates that the organizations didn't know about the vulnerabilities, either because they didn't know the component was present, or had not checked public resources for vulnerability information," the report notes.
Even high-profile bugs slip through the cracks. Black Duck Software says 10 percent of applications are vulnerable to the Heartbleed OpenSSL bug, and almost 10 percent are exposed to the POODLE bug, which affects TLS implementations.
Finally, the firm finds that almost 40 percent of the vulnerabilities detected in its scan have Common Vulnerability Scoring System base scores of greater than seven.
Black Duck Software product strategy VP Mike Pittenger said the problem isn't the use of open source but rather the lack of visibility in its use and a lack of awareness of new vulnerabilities.