SECURITY FIRM VERACODE has released a damning report into open source and third-party software components and warned that, for example, almost all Java applications are blighted with at least one problem.
Veracode does this report thing every year so it is used to seeing many changes, but Java is a regular player. The firm said that first-party code improves year on year, but that the same cannot be said of open source and third-party software.
Of course, this could cause problems for people and companies that do not carefully pick out their components.
"The prevalent use of open source components in software development is creating unmanaged, systemic risks across companies and industries," said Brian Fitzgerald, chief marketing officer at Veracode, as the firm revealed the findings of its annual State of Software Security report.
"Today, a cyber criminal can focus on a single vulnerability in one component to exploit millions of applications. Software components are used by every industry and for software of all kinds.
"Given our dependence on applications, the ease with which millions of applications can be breached has the potential to create havoc in our digital infrastructure and economy."
The short version is that more careful consideration should be given to the security of any software project or system. Judging by Veracode's results, they really aren't.
The firm found that 97 per cent of Java apps have at least one component with a known vulnerability, and that 60 per cent of all applications fail on security policies on a first scan.
Perhaps not news is the finding that those places where development is sandboxed prior to assurance testing are likely to be better at security than those that are not. Also worth noting is that security tends to be better when training and remediation coaching is in place.
"The ability to frequently test applications is going to be crucial to the success of secure development initiatives at companies with continuous development and deployment models like those found in DevOps environments," added Chris Wysopal, co-founder and CTO at Veracode.
"Our platform data shows that more companies are starting to test applications multiple times throughout the development lifecycle. The average number of security tests per app was seven, and some apps were scanned 700 to 800 times in an 18-month period.
"We are encouraged by this information because it suggests that companies are more deeply embedding security into their software development processes." µ
Watch this space
Hackers could erect man-in-the-middle attacks
Painted into a corner
What we'd call copying, Cupertino calls 'inspiration'