Developers have become savvier about incorporating software security into their development process earlier in product lifecycles, and many have effectively used tools like static analysis software to eradicate vulnerabilities from their own code. However, most projects incorporate some amount of open source code, and these libraries can introduce vulnerabilities if not carefully monitored. While open source code is generally secure, companies have a responsibility to ensure they are using the most up-to-date versions and looking for vulnerabilities regardless in their products.
According to a recent study from White Source Software that looked at around 3,000 commercial software projects, 23 percent of programs contain open source code with known vulnerabilities. In general, the problem stems from inconsistent updates: Of those vulnerable open source libraries, 98.7 percent were not the most up-to-date versions.
With eight to nine out of every 10 software projects using open source software, improving the security of open source components in programs is a growing industry concern. Another recent study from Rapid7 argued that open source projects need better vulnerability reporting practices, while several new bug bounty programs have launched offering rewards to researchers who find flaws in popular open source tools. Nonetheless, the issue is not so much that open source libraries are generally unsafe as that developers may need to pay more attention to the elements they incorporate into their own programs.
“Open-source communities are very diligent and go through a lot of trouble fixing and identifying problems,” White Source CEO Remi Sass told Dark Reading. “The real issue is the disconnect between that community and its end users.”
As companies look to implement secure open source code in their products, they can benefit from applying the same code review methodologies to open source libraries as they would with their own custom code. Using static analysis software, they can quickly examine existing code bases and look for potential problems – work that can also help improve the overall open source project. With increased attention being paid to open source vulnerabilities, companies can cover their bases by taking such precautions.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.