By Michael Hill
18 OCT 2017
A new report from CA Veracode has exposed the pervasive risks companies face from vulnerable open source components.
In its 2017 State of Software Security Report the firm reviewed application security testing data from scans of its base of 1400 customers, discovering that 88% of Java applications contain at least one vulnerable component, making them susceptible to widespread attacks.
A cause of the problem, in part, is that fewer than 28% of companies carry out regular analysis to see which components are built into their applications, Veracode claimed.
“The universal use of components in application development means that when a single vulnerability in a single component is disclosed, that vulnerability now has the potential to impact thousands of applications – making many of them breachable with a single exploit,” said Chris Wysopal, CTO, CA Veracode.
There have been plenty of examples of high-profile Java app breaches caused by vulnerabilities in open source or commercial components in the last year, one such being the ‘Struts-Shock’ flaw affecting the Apache Struts 2 web application framework.