The Register® — Biting the hand that feeds IT

Feeds

Devs spanked for touching vulnerable open-source packages

Broken code often reused while fixes left on the shelf

By Gavin Clarke, 27th March 2012
  • print
  • alert

Agentless Backup is Not a Myth

Developers are sucking buggy open-source programming frameworks off the web unaware that newer fixed versions exist, according to a new report.

Packages of the Google Web Toolkit, the Spring Model View Controller, and Apache's Struts and Xerces have been downloaded millions of times despite the fact they contain known vulnerabilities - as evidenced by a trawl through the Sonatype.org central repository.

In a joint effort, Sonatype and Aspect Security tallied more than 46 million downloads of out-of-date versions of 31 of the most popular open-source libraries and web frameworks.

One in three of the most popular components were downloaded with holes despite the existence of new versions complete with security fixes.

The research found that dodgy components are going into most of the world's program code: 80 per cent of "typical software applications" are open-source components and frameworks compiled into binary form. The 500 biggest companies downloaded more than 2.8 million packages with holes in one year, according to the study.

Aspect Security boss Jeff Williams called the data "a wake-up call" for software development organisations.

"While the numbers from this report are staggering, the takeaway is clear - open-source software is critical to forward-thinking development organizations, but there must be education and control to accompany its usage," he said.

Earlier this year, code testing specialist Coverity revealed in its annual report that the quality of open-source code was on a par with the closed stuff.

Analysing 37 million lines of code from 45 of the most active open-source projects Coverity found the number of defects per thousand lines of code was 0.45. Linux 2.6, PHP 5.3 and PostgreSQL 9.1 scored best.

That's compared to 0.64 in 300 million lines of code from 41 proprietary codebases. The industry average defect density is conveniently 1.0.

Coverity said those who commit to ensuring software quality by adopting development testing will "reap the benefits of high code quality and continue to see quality improvements over time". ®

Regcast training : Hyper-V 3.0, VM high availability and disaster recovery

COMMENTS

House Rules Send Corrections
All Reader Comments (10)
Highly Rated
Bruno Girin

What this doesn't say is how many of those downloads of old versions are done knowingly because devs are working with legacy code that only supports Tomcat v3.1.4.1.5 RC1 and nothing else? Or because the company policy mandates a particular version of a product irrespective of whether it has security holes or not?

4
0
Dave Perry

One thing not mentioned here

Sometimes new releases of libraries break applications. In the windows world, for example, we have software we rely on (and is very expensive) which breaks if the wrong version or service pack of .NET is installed. That isn't helped by these companies not updating their code very often (we had to wait nearly a year to get IE7 everywhere as the web front ends were only built to work in IE6, sadly I'd get in trouble for naming the company in question).

Another app (I'll happily name) is the Shibboleth Identity Provider. As a tomcat webapp (which I hate as it's complex and I don't understand it) I'm reliant on public information about which versions of Xerces libraries are compatible with Shibboleth. And getting an apache-tomcat stack, with the certificates at each end, that'll talk to secure service providers, is a pain in the backside I'm unwilling to do unless our SAN blows up and the extra backups go boom.

</ramble>

2
0
Anonymous Coward
Anonymous Coward

Wake up call? you'll need 40Kv to the testes for that one

What does some guy making a soundbite headline think is going to wake everyone up, when 9/10ths of the time when you discover a issue, the vendor just ignores it.

There are some good ones that will turn around a fix in days rather than spend the next 4 years managing the risk on some post it note stuck to the underside of the boss's desk where nobody will see it, but sadly they are few and far between and getting rarer in this cut price world of ours.

The vast majority with issues already know their products stink, they've probably been told the same by their tech leads but talk it away. The people running the companies do not care. Product is selected by the majority of customers on the bottom line alone. Wake up call? don't make me laugh.

Welcome to a brave new mba led world.

1
0

More from The Register

SCO vs. IBM battle resumes over ownership of Unix
Zombie lawsuit back and wants to suck the brains out of Linux
116
Bjarne Again: Hallelujah for C++
Plus: Now officially OK to admit you never used STL algorithms
95
Interwebs taunt Sir Jony over Apple eye candy makeover
Hey Ive, Ive... add more unicorns, willya?
79
Apple: iOS7 dayglo Barbie makeover is UNFINISHED - report
Plus: You don't like the icons? Blame marketing
104
Red Hat to ditch MySQL for MariaDB in RHEL 7
So long, Oracle! Don't let the door hit you on the way out
65
Shy? Socially inadequate? Fiddling with your phone could help
App 'tells the brutal truth' about social inadequates' chatup lines
22
Java EE 7 melds HTML5 with enterprise apps
New release arrives with GlassFish, NetBeans support
12
breaking news
'Office Facebook' firm Tibbr wants you to PAY for mobe-meetings app
Great idea. Punters won't cough for it though
9
breaking news
The only Waze is Google: Ad giant tipped to gobble map app 'for $1.3bn'
Pac-Man-satnav-ish upstart in bidding war with Apple, Facebook
16
breaking news
PM Cameron calls for modern, programmable computers! (We think)
IT education musings to G8 chiefs to mystify IT industry
105