Survey raises specter of massive enterprise software insecurity

Annual Sonatype survey suggests enterprise app developers are leaving huge security holes with use of open source components

You're studiously virus checking your desktop systems, and all your server applications are running on platforms that are regularly updated. But what about the applications themselves -- are they secure?

Sonatype today released results of the annual Open Source Software Development Survey, which looks at the extent to which developers use open source components, with a particular focus on how they balance the competing needs of speed and security. Sonatype surveyed 3,500 people from more than 50 countries -- more than 85 percent of them developers -- to understand their approaches to assembling software. The results show the massive extent to which developers now rely on components: At least 80 percent of a typical Java application is now assembled from open source components and frameworks.

This has been the case for many years, but the full maturation of the concept of component assembly rather than writing code from scratch is well illustrated -- albeit with a focus mainly on Java components. The popularity of tools like Node Package Manager (npm), CPAN, and more recently PHP Composer suggests Sonatype's findings probably reflect a general trend independent of the language used. Ask any employable developer and they will tell you: Components are the way things get built.

However, this raises new issues. Sonatype has determined that developers are not keeping up to date with security issues. The survey reports that 71 percent of the applications being built using components from its service use at least one component version with known security issues and for which updated versions exist with those issues addressed. In 2012, 46 million insecure versions of components were downloaded. Security used to be a matter of keeping your off-the-shelf or LAMP-stack software up to date and fully patched, but that's not a safe assumption any more.

I asked Sonatype CEO Wayne Jackson if there was any evidence of an increase in the number of critical security issues at CERT -- known as CVEs -- that arise from component exploits rather than exploits on finished software. He investigated and found that there were. While in 2006 there were just eight CVEs that identified a component as the source of the risk, by 2012 that number had risen to 50. Today, if you want to keep your company secure it's not enough to just keep your platforms up to date. You also need a policy that keeps your applications secure.

Survey raises specter of massive enterprise software insecurity

It's also possible this problem is more distinct with Maven than with other component repositories, since Maven fixes the version number in the POM rather than offering version ranges. Certainly JavaScript programmers using npm and PHP programmers using PHP Composer are able to specify that use of subsequent minor versions that don't break API compatibility is acceptable, and update their software with a simple command. But this isn't just an open source issue or even just a Java issue; it's probable that proprietary components purchased from closed-source suppliers are affected just as much.

Naturally Sonatype has a product to help with the problem, but the root cause is that most of us simply haven't realized how far developer choice of components has come to dominate our systems. A black hat hacker can use an exploit on a component as a gateway to systems, and applications in the enterprise that use that component may never get updated to close the exposure and kill the exploit. The survey found that only 38 percent of the organizations surveyed have the controls needed to maintain inventories of the components in use by their applications and ensure security updates happen.

Cyber security is on the national political agenda, but do we really understand what it takes to be secure? Now that enterprise development has become component based, rather than using custom code running on off-the-shelf platforms, it's time for enterprise development to wake up and smell the black hats. They're targeting your components, not just your servers.

This story, "Survey raises specter of massive enterprise software insecurity," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.

Copyright © 2013 IDG Communications, Inc.

How to choose a low-code development platform