Study: Open source libraries propagate security flaws

Research finds that one-third of the most commonly used open source Java components contain security vulnerabilities

Although companies such as Microsoft, Adobe, and Mozilla have raised awareness of secure programming practices in recent years, getting developers to adopt best practices to weed out vulnerabilities in program code remains a challenge. A case in point: Developers often overlook the necessity of keeping the source components of their software up-to-date, a problem exacerbated by poor update mechanisms, according to a study released on Monday.

The report, which analyzed code downloaded from a popular collection of open source components known as the Central Repository, found that a large number of development organizations, including half of Global 100 financial firms, used vulnerable libraries from the repository.

"The problem we've found is that is no central update mechanism or notification system to tell (developers) of software about the vulnerabilities that are being discovered in individual projects," says Wayne Jackson, CEO of Sonatype, the firm that maintains the Central Repository. "What that has led to is a huge amount of consumption of components that are known to have security flaws."

How huge? Research firm Aspect Security, which penned the study with the help of Sonatype, found that of the 113 million downloads of the most popular 31 open source Java frameworks and security libraries, 21 percent had known vulnerabilities, and 41 percent were older versions of the components. The vulnerable software included the Struts 2 Java application framework, the Spring application development framework, and Apache CXF, a framework for developing Web services.

"That magnitude of downloads means there are quite a lot of vulnerable applications in use," the report states. "This data shows that security is not a major consideration in the determination of which library to download."

Developers must not only secure their own code, but make sure they are using the most secure version of any third-party code as well, says Sonatype's Jackson. The report recommends that developers create an inventory of all the libraries used in a project and to keep the components up-to-date. In addition, the open source industry needs better ways to inform developers when there is a security update in a library that they use. One in five developers told the study there was not a good way to find out about updates, while two-thirds learn of updates from the project site.

"Open source is so transformative in how it lets organizations innovate, that we can't give it up," says Sonatype's Jackson. "We have to, as an industry, come up with ways and practices and procedures that make its use much safer."

This article, "Study: Open source libraries propagate security flaws," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest business technology news, follow on Twitter.