Dark Side of Frameworks and Libraries

A recent study published by Aspect Security and Sonatype suggests 80% of the code in today’s in-house software comes from frameworks and libraries. I’m not a developer myself, but judging from what I’ve seen in IT circles and water cooler chats with resident developers over the years, I wouldn’t be surprised.

Study researchers analyzed over 113 million downloads by more than 60,000 commercial, government and non-profit organizations and suggested some interesting results. The study claims over 50% of fortune 500 corporations have vulnerabilities in software developed in-house because these typically use open source libraries, and frameworks to decrease development time. The survey results also suggested that 37 percent of all versions of 31 top components contained a CVE or OSVDB vulnerability, and that popular components are only 10 percent less likely to have vulnerabilities than less popular ones. While the survey was limited to 2550 developers, (small sample) it claims that only 32 percent of organizations “maintain an inventory of the dependencies in their production applications, complicating issue resolution when a new vulnerability is discovered.” Study publishers concluded “The risk of vulnerabilities in these components is widely ignored and under appreciated.”

Sometimes the perception of Open Source software is it’s of higher quality simply because of the eye ball effect. (more eyes looking at source code) Clearly studies like this break that bubble and serve as a wake up call. Open Source software should not be treated any differently than commercial software. Mainly because Open Source or not it is all written by humans. While automated updates may not be as easy vs. commercial software, Administrators when deciding to use Open Source should implement a maintenance strategy and the corporate software policy should reflect that too.

If you’re interested in a copy, you may request the study here.