Open Source and Third-Party Components Embed 24 Known Vulnerabilities into Every Web Application on Average

By   ISBuzz Team
Writer , Information Security Buzz | Oct 23, 2014 05:02 pm PST

Veracode, a leader in protecting modern enterprises from today’s pervasive web and mobile application threats, has released analytics from its cloud-based platform that exposes the significant risk created by the widespread use of open source and third-party components. Using the company’s newly-released software composition analysis service, Veracode analysed more than 5,300 enterprise applications uploaded to its platform over the past two months and determined that components introduce an average of twenty-four known vulnerabilities into each web application. Many of these vulnerabilities expose enterprises to significant cyber threats such as data breaches, malware injections and Denial-of-Service (DoS) attacks.

Free Download: Is An Outright Ban On Workplace Social Networking A Good Idea?

To accelerate delivery of digital innovations, it is now common in both traditional and agile development processes to incorporate reusable, pre-built software components. These components are often obtained from open source developers. In fact, according to industry analysts, 95% of all IT organisations will leverage some element of open source software in their mission-critical IT solutions by 2015. In addition, FS-ISAC states that “the majority of internal software created by financial services involves acquiring open source components and libraries to augment custom-developed software.”

Most third-party and open source components do not undergo the same level of security scrutiny as custom-developed software. To address this risk in the software supply chain, industry groups such as OWASP, PCI and FS-ISAC now require explicit policies and controls to govern the use of components. However, it can be difficult for global enterprises with multiple code repositories to pinpoint all the applications where a risky component is used. This leaves countless web and mobile applications at risk, especially once a new vulnerability, such as Heartbleed, has been publicly disclosed.

“While the sheer number of vulnerabilities per application we found is surprising, what is truly alarming is that we also identified an average of eight ‘Very High Severity’ or ‘High Severity’ vulnerabilities per application caused by open source and third-party components,” said Phil Neray, Veracode’s VP of enterprise security strategy. “The data suggests that virtually all applications have at least one critical vulnerability caused by reusable components. This tells us we can significantly reduce enterprise risk by continuously auditing our customers’ application portfolios for the presence of risky components.”

Veracode’s new automated service helps enterprises quickly identify all applications with vulnerable components and determine exactly where specific components are used across multiple development teams, including outsourcers. Customers can immediately take advantage of the new service because it works with all the software they’ve already uploaded for binary static analysis (SAST). Veracode’s world-class security experts also provide remediation advisory services to help customers rapidly prioritize and mitigate vulnerabilities across their global application infrastructures.

With the addition of this service, Veracode becomes the only vendor to offer a unified platform for SAST, DAST and software composition analysis. To simplify automated governance and systematically reduce risk, Veracode’s cloud-based platform offers centralised policies and KPIs for measuring security posture in a consistent manner across disparate business units and both internal and external development teams.

About Veracode

veracodeVeracode delivers the most widely used cloud-based platform for securing web, mobile, legacy and third-party enterprise applications. By identifying critical application-layer threats before cyber-criminals can find and exploit them, Veracode helps enterprises deliver innovation to market faster – without sacrificing security.

Veracode’s powerful cloud-based platform, deep security expertise and programmatic, best practices approach provide enterprises with a simpler and more scalable way to reduce application-layer risk across their global software infrastructures.

Recognised as a Gartner Magic Quadrant Leader since 2010, Veracode secures hundreds of the world’s largest global enterprises, including 3 of the top 4 banks in the Fortune 100 and more than 25 of the world’s top 100 brands. Learn more at, on the Veracode blog and on Twitter.