Devs spanked for touching vulnerable open-source packages
Broken code often reused while fixes left on the shelf
Developers are sucking buggy open-source programming frameworks off the web unaware that newer fixed versions exist, according to a new report.
Packages of the Google Web Toolkit, the Spring Model View Controller, and Apache's Struts and Xerces have been downloaded millions of times despite the fact they contain known vulnerabilities - as evidenced by a trawl through the Sonatype.org central repository.
In a joint effort, Sonatype and Aspect Security tallied more than 46 million downloads of out-of-date versions of 31 of the most popular open-source libraries and web frameworks.
One in three of the most popular components were downloaded with holes despite the existence of new versions complete with security fixes.
The research found that dodgy components are going into most of the world's program code: 80 per cent of "typical software applications" are open-source components and frameworks compiled into binary form. The 500 biggest companies downloaded more than 2.8 million packages with holes in one year, according to the study.
Aspect Security boss Jeff Williams called the data "a wake-up call" for software development organisations.
"While the numbers from this report are staggering, the takeaway is clear - open-source software is critical to forward-thinking development organizations, but there must be education and control to accompany its usage," he said.
Earlier this year, code testing specialist Coverity revealed in its annual report that the quality of open-source code was on a par with the closed stuff.
Analysing 37 million lines of code from 45 of the most active open-source projects Coverity found the number of defects per thousand lines of code was 0.45. Linux 2.6, PHP 5.3 and PostgreSQL 9.1 scored best.
That's compared to 0.64 in 300 million lines of code from 41 proprietary codebases. The industry average defect density is conveniently 1.0.
Coverity said those who commit to ensuring software quality by adopting development testing will "reap the benefits of high code quality and continue to see quality improvements over time". ®
What this doesn't say is how many of those downloads of old versions are done knowingly because devs are working with legacy code that only supports Tomcat v188.8.131.52.5 RC1 and nothing else? Or because the company policy mandates a particular version of a product irrespective of whether it has security holes or not?
One thing not mentioned here
Sometimes new releases of libraries break applications. In the windows world, for example, we have software we rely on (and is very expensive) which breaks if the wrong version or service pack of .NET is installed. That isn't helped by these companies not updating their code very often (we had to wait nearly a year to get IE7 everywhere as the web front ends were only built to work in IE6, sadly I'd get in trouble for naming the company in question).
Another app (I'll happily name) is the Shibboleth Identity Provider. As a tomcat webapp (which I hate as it's complex and I don't understand it) I'm reliant on public information about which versions of Xerces libraries are compatible with Shibboleth. And getting an apache-tomcat stack, with the certificates at each end, that'll talk to secure service providers, is a pain in the backside I'm unwilling to do unless our SAN blows up and the extra backups go boom.
Wake up call? you'll need 40Kv to the testes for that one
What does some guy making a soundbite headline think is going to wake everyone up, when 9/10ths of the time when you discover a issue, the vendor just ignores it.
There are some good ones that will turn around a fix in days rather than spend the next 4 years managing the risk on some post it note stuck to the underside of the boss's desk where nobody will see it, but sadly they are few and far between and getting rarer in this cut price world of ours.
The vast majority with issues already know their products stink, they've probably been told the same by their tech leads but talk it away. The people running the companies do not care. Product is selected by the majority of customers on the bottom line alone. Wake up call? don't make me laugh.
Welcome to a brave new mba led world.