. In the context of a they investigated study 1000 applications that are frequently used in companies. Among them were also banking apps, containing on average 52 open source vulnerabilities. 60 percent of these apps, the researchers classified at least a vulnerability considered critical.
of the investigated apps used 96 percent open-source components. 60 percent of the apps, dangerous vulnerabilities put in exactly this code. In some cases the errors known already for more than four years and were not patched.
in the retail and online, the researchers discovered the highest proportion with software serious gaps of open-source. Here had 83 percent of applications as critical to unpatched vulnerabilities in the open-source code.
developers rely on open source to reduce the cost of developing your own applications. The “finished” code helps to carry their products faster to market and to extend their apps and innovative features. However such open-source projects are managed only by a community, whose Mitglieder only incidentally and without payment to the care of the code can take.
a commercial software based on an open-source component, then she may contain also their vulnerabilities. The open-source community usually while provides the needed patches, that does not automatically flow into the third-party applications. For this, only their developers are responsible.
according to the study is however not aware of many of these providers, which parts of their software based on open source. License problems occurred as a result of 85 percent of the analyzed applications. “Everybody uses many open source, but as the study shows, only a few in the detection and monitoring of open-source components and vulnerabilities in their applications do a good job,” said Chris Fearon, Director of open source security research group of Black Duck.
a well known example of a gap in an open-source software with numerous commercial implementations is the bug in OpenSSL referred to as Heartbleed. The bug, including webserver is vulnerable, was discovered in April 2014. Although manufacturers hurried to publish updates, fast yet 300,000 servers were affected worldwide in June 2014. End of January 2017, so more than two and a half years later, reported the SHODAN search engine less than 200,000 services based on a vulnerable to Heartbleed version of OpenSSL.
[withmaterialfromCharlieOsborne ZDNet.com ]
tip : how well you are familiar with open source? Check your knowledge – with 15 questions on silicon.de .