Enterprise software is rife with vulnerabilities

Hacked

Far too many organizations are making a serious mistake with their enterprise or in-house software: building it with open-source components that are flawed. 

That’s according to research by Sonatype. The software supply chain management organization’s “2015 State of the Software Supply Chain Report” found more than 15,000 open-source Java components downloaded in 2014 had known vulnerabilities – that’s 7.5% of all components downloaded by businesses.

Also worrisome:

  • large companies may use as many as 7,600 suppliers, which makes the oversight extremely difficult
  • the average time to fix open-source vulnerabilities is more than one year (390 days)
  • 6.2% of all open-source and third-party components had vulnerabilities in 2014, and
  • each application has an average of 24 known severe or critical vulnerabilities.

Upstream problems

When applications are built with vulnerable components, it weakens the final product. Hackers who may be more keen on finding vulnerabilities than the average in-house developer or enterprise software supplier hunts out these flaws, isolates them and uses them as an in to infect systems.

While big name vulnerabilities such as Heartbleed get a lot of media and developer attention, others may go unnoticed by all but the most eagle-eyed of users and hackers.

Some companies will never find out they have vulnerable components in their software. In fact, the majority (60%) don’t have an inventory that contains information on all components used.

And 43% of companies don’t have any rules or policies regarding the use of open-source material.

That obviously makes it very difficult to detect if there’s a vulnerability in software until it’s too late.

Smarter supply chains can protect you

If you want to make sure your enterprise applications are secure (and you do), here are some hints:

  • Stick to trusted suppliers. Having a few responsible, responsive suppliers for software is key. This protects against weaknesses that companies in a rush to get their products out might include.
  • Take inventory. It’s essential to have an inventory of all software components your organization uses – and to check these regularly for updates or publicly disclosed flaws.
  • Get in-house buy-in. One company that wanted to be sure it knew about open-source components in its systems added two simple steps to make sure its techs disclosed these components.
    First, it added a sign off step to every process in which it asked techs whether they used open-source code in the project. Just by making them aware each time that they had to disclose this information, they got more compliance. And if techs didn’t want to disclose the code, they were told they had to rip it out.
    The second step: In-person training. While it’s one thing to put these policies in writing or have them read about them online, nothing beat sitting them down with the legal and security teams who explained that any violations of these policies could result in serious problems – and that if these violations were found, the techs would be held accountable personally.

 

Make Smarter Tech Decisions

Get the latest IT news, trends, and insights - delivered weekly.

Privacy Policy