Most open source applications ‘vulnerable to cyber crime’

Many applications using open source code have some kind of security vulnerability, new research suggests.

Analysis by Black Duck, a security firm, of more than a thousand open source applications found 60 per cent were in some way vulnerable.

The firm said its findings should be an “eye-opener” for cyber security professionals.

Analysis of the financial sector found that apps used in the industry contained, on average, 52 open source vulnerabilities per application, with 60 per cent of the applications containing “high risk” vulnerabilities.

In the retail and ecommerce industries there was the highest number of applications with high risk vulnerabilities (83 per cent).

Black Duck CEO Lou Shipley said the findings are important, because the application layer is a prime target for hackers.

“Exploits of open source vulnerabilities are the biggest application security risk that most companies have,” he said.

Chris Fearon, director at Black Duck’s open source security research group, said that while open source applications are widely used, very few organisations are doing an adequate job detecting, remediating and monitoring open source vulnerabilities.

“Open source use is ubiquitous worldwide and recent research reports show that between 80% and 90% of the code in today’s apps is open source,” Shipley added.

“This isn’t surprising because open source is valuable in lowering dev costs, accelerating innovation and speeding time to market. Our audits confirmed the universal use, but also revealed troubling levels of ineffectiveness in addressing risks related to open source security vulnerabilities and license compliance challenges.”