Vulnerable open source component adoption skyrockets in the enterprise

Researchers say that despite high-profile breaches caused by irresponsible open-source software use, the enterprise is still failing to control corporate network security.
Written by Charlie Osborne, Contributing Writer

Open-source software and components are critical to many of the online services we use today.

Companies, ranging from the most well-known technology giants to SMBs, will often use open-source technologies to improve their own business processes and access useful software libraries.

Open-source components can be used in everything from security to Big Data analysis and communications platforms, but companies are failing to keep track of what open-source projects they rely on -- as well as keep these systems secure.

On Tuesday, DevOps platform Sonatype released new research which suggests that the use of open-source components which are vulnerable to known bugs has increased by 120 percent over the past year, despite a number of high-profile security incidents linked to vulnerable open-source software.

The report, State of the Software Supply Chain, says that 62 percent of businesses participating in the research admitted to having little knowledge of the open-source components in use through their supply chains and systems.

Sonatype says that vulnerable, old versions of Apache Struts, for example, are still being downloaded. In total, close to 9,000 organizations have recently downloaded vulnerable versions rather than actively selecting updated, patched variants.

In 2017, Equifax blamed an unpatched Apache Struts vulnerability for a data breach resulting in the compromise of 143 million records. When exploited, the bug permits attackers to execute arbitrary code, potentially leading to system hijacking.

Read on: Open-source security: Zip Slip critical flaw hits thousands of projects. Update now

A lack of knowledge and indiscriminately downloading vulnerable open-source components without conducting any research are placing enterprise players at risk, which has increased further due to the reduced time it takes cybercriminals to exploit a newly-disclosed open-source vulnerability.

According to the research, the time it takes for exploit has shrunk by 400 percent in the last decade.

It may be as little as three days before an exploit to be developed which incorporates an open-source flaw -- leaving enterprises little time to triage and act, assuming they even know they are affected by a vulnerability disclosure.

See also: Microsoft's new open source tool can scan your website for security and performance headaches

Overstretched cybersecurity teams, however, may find automated processes can reduce the workload.

TechRepublic: 8 hurdles IT must overcome if they want open source success

The report claims that automated open-source system security solutions can help reduce the presence of vulnerabilities with the potential to impact enterprise systems by up to 50 percent, and DevOps teams are 90 percent more likely to adhere to open-source governance when security policies are automated.

"We are seeing more breaches in open-source software because of the gravitational force that pulls features, complexity, and technical debt towards a software system over time, which make it very difficult to patch in a timely fashion," says Kevin Greene, Principal Software Assurance Engineer at MITRE. "Unfortunately, that hasn't changed the consumption rate of open-source software by developers. This is consistent with what I believe is a growing concern, that developers may have surrendered to the idea that all software is vulnerable and have known vulnerabilities. We must give developers better supply chain options where quality and security are intrinsically designed-in."

In May, research conducted by Synopsys found that 96 percent of enterprise firms use open-source software and over 60 percent of these components contained unpatched security vulnerabilities.

Read on: CNET: Open source everywhere

The top open-source rookies, projects in 2018

Previous and related coverage

Editorial standards