More than 50 percent of the world's largest corporations have open source applications with security vulnerabilities.
That's because more than 80 percent of software applications built in-house by enterprise developers incorporate open source components and frameworks that may be vulnerable.
Those are data points that most open source backers might dismiss. Still, one joint research report issued today by Silver Spring, MD-based Sonatype and Aspect Security say they're true.
The report -- based on a survey of 2,550 developers, architects and analysts -- maintains that the widely held view that open source software is consistenly high quality "overlooks ecosystem flaws," chiefly that lack of a notification system alerting developers about vulnerabilities and new versions with fixes."
"80% of the code in today’s applications comes from libraries and frameworks. The risk of vulnerabilities in these components is widely ignored and underappreciated," wrote Jeff Williams, CEO and Arshan Dabirsiaghi, Director of Research at Aspect Security, a Columbia, MD-based application security consulting firm.
The report claims, for example, that there have been 46 million downloads of insecure versions of the most popular open source libraries and frameworks, including Google Web Toolkit, Spring MVC, Struts 1.X. and Hibernate.
The report found that Struts 2 -- which was reportedly downloaded more than one million times by 18,000 corporations -- contained a critical vulnerability.
The survey results also maintains that 37 percent of all versions of 31 top components tested contained a CVE or OSVDB vulnerability, and that popular components are only 10 percent less likely to have vulnerabilities than less popular ones, the study found.
The report also claims that only 32 percent of organizations "maintain an inventory of the dependencies in their production applications, complicating issue resolution when a new vulnerability is discovered."
"With more than 80 percent of typical software applications using open-source components and frameworks consumed in binary form, the results of this research are a wake-up call to nearly every organization developing software to run business-critical functions," according to a statement issued by Aspect Security, a firm with application security expertise and a founding member of the Open Web Application Security Project.
Sonatype, which markets its Nexus Intelligent Repository Manager to improve the quality of software component development, is led by CEO Wayne Jackson, the former CEO of open source network security firm Sourcefire. The company was founded in 2008 by Jason van Zyl, creator of the Apache Maven build system.
The conclusion? That enterprises should maintain and strictly manage inventories of software components.
Some top open source developers had a different take on key findings of the report.
Rene Gielen, Chair of the Apache Struts Project Management Committee, did not dispute the findings but questioned whether the suggested solution is right in all cases.
"Open source software has flaws and will have flaws, as any other software product we know of today. While we will for sure not succeed in making our software products flawless, we can do our best to address such issues as soon as they are reported," wrote Gielen, on behalf of the entire project. "Most open source projects, Apache Struts included, have in general good track records in addressing security issues quickly and professionally and providing fixed versions as soon as possible."
"One thing we have to be clear about is that automated upgrade notifications and processes, as found in many desktop products, are not an option for the class of products we provide," the Struts developer said. "Where would an application server product, a web framework such as Struts or even a library provide such information in it's runtime context? How would the notification be sent out to the product installations, given that enterprise setups most likely will separate the installation from direct internet access?
A key member of the Apache Tomcat project offered this take:
"The numbers don't surprise me at all... It is certainly the case that there are organisations that continue to run vulnerable software (open and closed source) without realising what they are doing. I do not believe this is a problem unique to open source nor one that is particularly worse or better with open source compared to closed source," said Mark Thomas, a member of the Apache Tomcat Project Management Committee who is also on the Tomcat security team.
Thomas noted that many enterprises likely already have workarounds. Here are some possibilities that Thomas proposes:
1. The vulnerability applies to certain configurations and the organisation is not using a vulnerable configuration.2. The vulnerability may be mitigated by another component in the stack. I can think of some Tomcat vulnerabilities that could not be exploited if Apache httpd was used as a reverse proxy in front of Tomcat. 3. The risk of continuing to use the vulnerable component is less than the risk of upgrading the component.
Andrew Aitken, founder and managing partner of Olliance Group, which is now owned by Black Duck Software, took issue with the sentiment of the report.
"It’s unfortunate to see this and we disagree with the tone of the study inferring that open source is low quality and risky," said Aitken, Founder and Managing Partner of Olliance Group.
"All software has vulnerabilities, and this study doesn’t compare open source to other code. It just says open source has “x”, and there have been many studies showing that OSS is higher quality than most other code," wrote Aitken, who cited key findings from a 2010 Coverity Open Source Integrity Report.
That report, based on Coverity's 2009 analysis of 280 open source projects including Linux, Apache, Firefox, Samba, PostgreSQL, OpenVPN and others, found that the open source software defect density is four times lower than the software industry average. Android's defect rate was said to be less than half the software industry average.
"It shows open source is generally higher quality," Aitken wrote, in response to the Sonatype-Aspect Executive Brief: Addressing Security Concerns in Open Source Components.
It's important to note that the Sonatype-Aspect study focuses on components, frameworks and libraries, as opposed to commercial open source applications or open source projects.
The Sonatype-Aspect execs -- who are major proponents of open source software -- were quick to respond to criticism with this lengthy e-mail explainer of its findings:
"At no point in the study do we say that Open Source is low quality. Sonatype after all is a company of open source software developers, a key contributor to the open source community through support and contribution to projects including Apache Maven, M2Eclipse, Nexus, Tyco and firm believers in the superiority of opensource software.
What we're attempting to point out by this study is that open source is great for development and there's lots of benefit, but there's also risks that organizations need to be aware of -- mainly the idea that the open source ecosystem has no notification infrastructure -- so to date, there's no good way for developers to know when flaws are found in the components they are using to build software. Imagine your PC without auto-update, having to dig through release notes, searching for security bulletins, tracking down critical fixes.
Sonatype is committed to changing that and we view the Central Repository, the software development industry’s canonical exchange for software components as a key Sonatype asset and vital to this mission. Central enables real-time visibility into the software development ecosystem. Sonatype is uniquely able to know when any of the hundreds of thousands of components in Central are updated and who, among tens of thousands of organizations, are getting what components from Central every day. No other organization can provide this detail.
Our study simply brings to light the activity occurring in the Central Repository every day -- by thousands of development team around the world. We are not comparing open source code to proprietary software as other studies have done. We are examining how components (the building blocks of modern applications) are being used by organizations to build software, and bringing to the forefront of conversation, the need for better component intelligence and changeawareness.
Apache Struts' Gielen said it's a reminder that all enterprises must incorporate security fixes and patch management systems for all applications -- open source or not.
"We as open source framework providers cannot overemphasize how important it is to keep up with latest security fixes and see it as part of the profession to develop and run business critical software," Gielen wrote. "While we all got used to frequent operating system and desktop application updates, we seem to fail sometimes to transfer this habit to our enterprise application projects where automatic patch provisioning is not an option."