Open source is code like any other, and according to a study by Coverity likely contains defects at a rate similar to other software (~1 defect per 1000 lines of code). According to the Veracode’s State of Software Security report, 70% of applications fail to comply with basic enterprise security policies, such as OWASP Top 10 and CWE/SANS Top 25. However, while software developers test their own code regularly and rigorously, and would immediately tend to fix security vulnerabilities, most are paying little attention to the open source libraries that ship with their products. Popular open source projects are of course being scrutinized by many users, which often discover defects more quickly than otherwise. These are also well documented. As we speak, the Common Vulnerabilities and Exposures (CVE) database shows hundreds of security vulnerabilities that are directly related to open source libraries. Even better, open source communities are often quicker to fix and otherwise upgrade their code (sometimes in excess of five times a year). Unfortunately, developers that do not monitor for these discoveries and updates would not know of the vulnerabilities, and would clearly not upgrade the version of the library they use. According to White Source research, 85% of software projects use outdated libraries. opensource/business/13/10/security-vulnerabilities-open-source-libraries
Posted on: Thu, 31 Oct 2013 14:08:41 +0000
Trending Topics
Recently Viewed Topics
© 2015