Digital infrastructure At Risk From Security Flaws In Java And Open Source

The wide spread use of Java and open source software components is creating an unmanageable cyber security risk, according to analysis conducted by application security specialist Veracode.

A report it produced on code-level analysis of billions of lined of code across 300,000 assessments performed over the last 18 months, revealed that 97 percent of Java applications contained at least one component with a known cyber vulnerability.

The report found that one flaw in a single popular component can spread it to more than 80,000 software components, which in turn could be used for the development of potentially millions of software programmes, thereby propagating its spread further and further.

Open source danger

While many champion the use of open source development as means to build software out of cutting edge components and code that benefits from the combined expertise of a community of developers, the lack of security oversight can lead to cyber security holes spreading like wildfire.

“The prevalent use of open source components in software development is creating unmanaged, systemic risks across companies and industries,” said Brian Fitzgerald, CMO at Veracode.

“Today, a cybercriminal can focus on a single vulnerability in one component to exploit millions of applications. Software components are used by every industry and for software of all kinds, and given our dependence on applications, the ease at millions of applications can be breached has the potential to create havoc in our digital infrastructure and economy.”

The report noted that 60 percent of applications failed basic security requirements on their first scan. However, it highlighted that the rise of DevOps is leading to more companies carrying out repeated scans of their software and integrating security processes as it is developed in order to pick out the vulnerabilities without slowing down software creation.

Simply adhering to best practices when developing software can root out problems without abandoning open source use.

“The ability to frequently test applications is going to be crucial to the success of secure development initiatives at companies with continuous development and deployment models like those found in DevOps environments,” said Chris Wysopal, co-founder and CTO at Veracode. “Our platform data shows that more companies are starting to test applications multiple times throughout the development lifecycle.”

Such is the problem of potential security flaws in open source, Linux Foundation executive director Jim Zemlin said it puts the golden age of open source at risk.

How well do you know open source software? Take our quiz!