A recent Synopsys study of 128,782 software applications found that almost 50 percent of the third-party software components of those applications are more than four years old, with a more secure version of the software component available in almost every case.
“Over time, vulnerabilities in third-party components are discovered and disclosed, leaving a previously secure software package open to exploits,” Synopsys Software Integrity Group general manager Andreas Kuehlmann said in a statement. “The message to the software industry should not be whether to use open source software, but whether you are vigilant about keeping it updated to prevent attacks.”
In the 128,782 applications studied, the survey identified 16,868 unique versions of open source and commercial software components containing 9,553 unique security vulnerabilities.
The oldest vulnerability dates back to 1999.
“Coming on the heels of last month’s WannaCry outbreak, the insights in the report serve as a wakeup call that not everyone is using the most secure version of available software,” Synopsys security strategist Robert Vamosi said. “The update process does not end at the time of software release, and an ongoing pattern of software updates must be implemented throughout the product lifecycle.”
“As new CVEs are disclosed against open source software components, developers need to know whether their products are affected, and organizations need to prevent the exploit of vulnerabilities with the latest versions when they become available,” Vamosi added.
Struggles with Patch Management
Still, recent research conducted by Vanson Bourne found that companies are struggling to stay on top of patches and updates.
The survey of 500 CISOs from the U.S., U.K. and Germany, sponsored by Bromium, found that 53 percent of respondents said crisis patch management is a major disruption to their IT and security teams.
Enterprises have to issue an emergency patch an average of five times a month, with each case requiring an average of 13 hours of work to fix.
Over half of respondents have had to pay overtime or bring in a third party team to issue patches or deal with a security issue, at an average cost of $19,908 per patch.
“We can see with the recent WannaCry outbreak — where an emergency patch was issued to stop the spread of the worm — that enterprises are still having to paper over the cracks in order to secure their systems,” Bromium CTO and co-founder Simon Crosby said in a statement. “The fact that these patches have to be issued right away can be hugely disruptive to security teams, and often very costly to businesses, but not doing so can have dire consequences.”
“WannaCry has certainly shined a spotlight on a problem that has plagued enterprises for years,” Crosby added. “It is simply impractical to expect enterprise organizations to continually upgrade — even when they have licenses, the actual deployment creates huge disruption, or in some instances would require an entire hardware refresh and result in huge upfront capital costs.”