Open Source And Third Party Bugs 'Rife In Enterprise Apps' Claim

Oct 24, 2014

Enterprise applications that include open source or third party components will have an average of 24 known vulnerabilities that can leave companies open to being hit by the next Heartbleed or Shellshock.

Veracode, an enterprise security firm, surveyed 5,300 enterprise applications and found that all are leaving themselves open to a range of threats such as data breaches, malware injections and denial of service attacks due to the less-stringent checks on third party and open source components.

“While the sheer number of vulnerabilities per application we found is surprising, what is truly alarming is that we also identified an average of eight “Very High Severity” or “High Severity” vulnerabilities per application caused by open source and third-party components,” said Phil Neray, Veracode’s VP of enterprise security strategy.

'Open To Vulnerabilities'

Addressing the risk in the software supply chain is already being handled by industry groups such as OWASP, PCI and FS-ISAC, which all require policies and controls to cover the use of components. The only problem with this is that global enterprises with different code repositories can find it exceedingly difficult to pinpoint the applications where a “risky component” from an open source or third party is being used.

This is further compounded by the fact third party and open source components don’t undergo the same level of security checks of custom developed software thus throwing them open to vulnerabilities.

To fight the amount of vulnerabilities present, Veracode has implemented a new automated service for enterprises that allows them to find exactly where the flaws exist and the team members that use them, including outsourcers. Companies can use the service right away as it has backwards compatibility with all software they’ve already uploaded for binary static analysis [SAST].

Veracode claims that the new solution means it is the only vendor to offer a united platform for SAST, DAST and software composition analysis with the cloud-based platform also offering centralised policies and KPIs to measure security posture consistently across units and teams.

Image Credit: Flickr (Global Panorama)

Author: Jamie Hinks 

View the original article here.
Published under license from ITProPortal.com
applications / enterprise software / ITProPortal / open source / Partners / security breach / Technology / veracode

Comment

 

Understanding the risks and rewards of public sector cloud 

Download the Whitepaper now

Partner

24Newswire
Sign up to receive latest news

Twitter Feed

Why does pubsec ICT PR firm @MantisPR want to be at the upcoming #eventcentreUK THINK Digital Vendors 2016 event? https://t.co/3tE5o7aMmO
@24nbiz
Apr 01, 2016
@thinkdigicon supporter @Adv365 sets out its stall for tomorrow's landmark #gcloud event https://t.co/FQraJP2yyg
@24nbiz
Mar 21, 2016
@thinkdigicon supporter @Adv365 explains why it's supporting tomorrow's show https://t.co/2Wj3UECo9s
@24nbiz
Mar 21, 2016
@24n.biz: what's the final agenda for tomorrow's @thinkdigicon #gcloud @GOVUKdigimkt show? https://t.co/6CASi8lrnU
@24nbiz
Mar 21, 2016