A recent study undertaken by Aspect Security and Sonatype, open-source software repository reveals open-source code libraries as rife with vulnerabilities. The study, titled “The Unfortunate Reality of Insecure Libraries” examined 113 million user downloads from 31 popular libraries of open source code over the previous year and discovered that about one in every four downloads had some vulnerability or the other. In all, about 19.8 million downloads had vulnerabilities, and the list of such tainted libraries include popular ones such as Google Web Toolkit, various versions of Apache, Java Servlet, Java Server Pages and others.
Any application on an average uses about 30 or more such libraries, and such libraries continue supply an overwhelming portion of the application code. The high incidence of vulnerability, as such, directly translates to compromised applications.
The nature of vulnerabilities inherent in such libraries, and by extension, the application, vary. Some vulnerability allows attackers to takeover the host completely whereas others lead to loss of data integrity, or data theft. For instance, Apache CXF, a Web Services framework with 4.2 million downloads in the 12 months of the study, contained vulnerabilities that facilitated cyber criminals to download files and circumvent authentication.
To make matters worse, open-source communities, very often the sole resources for such software, seldom provide clear-cut ways to identify code with vulnerabilities, or to take remedial measures, even when a fix is available. For paid software, vendors issue notifications on patches available to fix vulnerabilities. OpenBSD and some other open source groups do a good job in issuing such notifications and managing vulnerability disclosures but these are exceptions rather than the norm.
Aspect and Sonatype are mulling over possible solutions to address the critical issue, but until such a solution happens, the only foolproof way to secure applications is to avoid code libraries altogether.