Consider the software applications a business uses every day: web browser, email, file sharing, messaging, online meetings. Most people aren’t aware that nearly all the well-known apps contain open-source components that software vendors often don’t disclose. Used for routine functions – such as libraries processing multimedia data or securing communications on computer networks – many of these components have security vulnerabilities that can be exploited in a cyberattack.

A recent study found that nearly all commercial off the shelf (COTS) software applications tested contained open-source components with security vulnerabilities; among those, 85% contained at least one with the highest possible critical vulnerability score. Additionally, 30% of the open-source components tested contained at least one security flaw that’s been assigned a common vulnerabilities and exposures (CVE) identifier, adding it to a list of publicly disclosed information security vulnerabilities and exposures.

The whitepaper by Osterman Research, “Uncovering the Presence of Vulnerable Open-Source Components in Commercial Software,” employed data generated by GrammaTech Inc. CodeSentry supply chain security software to identify the open-source components.

Key findings of the research:

  • Meetings, email client categories are most vulnerable – They contain the highest average weighting of vulnerabilities. Given the widespread use of these tools, organizations should understand the potential for compromise.
  • Common use of components with critical vulnerabilities – All but three of the applications studied included at least one critical vulnerability scoring the maximum 10.0 on the Common Vulnerability Scoring System (CVSS), an open industry standard for assessing the severity of computer system security vulnerabilities.
  • Newer component versions aren’t always more secure – Major software revisions often have a higher number of vulnerabilities than previous, incremental updates. There hasn’t been a straight-line decrease of vulnerabilities in newer versions nor the weighted value of high and critical vulnerabilities.

Since open-source software is unlikely to disappear from third-party software, GrammaTech recommends organizations continually assess open-source component usage and vulnerabilities across newer and emerging versions of their COTS software to address enterprise risk before choosing and implementing applications, which can include working with vendors to mitigate found issues.

GrammaTech Chief Product Officer Vince Arneja says, “Most organizations trust suppliers to keep their software free of defects. As this survey shows, companies need to conduct their own quality control to verify the security of purchased software. Maintaining an up-to-date software bill of materials that details software components and their associated vulnerabilities is the first step in being able to understand and mitigate security vulnerabilities in commercial software applications before and after they are implemented.”

This is just another reminder that any system consisting of thousands, or tens of thousands of components now requires increased vigilance to protect it from cyberattack. – Eric