Almost Half of All Third-Party Software Components Are Outdated, Insecure

eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

A recent Synopsys study of 128,782 software applications found that almost 50 percent of the third-party software components of those applications are more than four years old, with a more secure version of the software component available in almost every case.

“Over time, vulnerabilities in third-party components are discovered and disclosed, leaving a previously secure software package open to exploits,” Synopsys Software Integrity Group general manager Andreas Kuehlmann said in a statement. “The message to the software industry should not be whether to use open source software, but whether you are vigilant about keeping it updated to prevent attacks.”

In the 128,782 applications studied, the survey identified 16,868 unique versions of open source and commercial software components containing 9,553 unique security vulnerabilities.

The oldest vulnerability dates back to 1999.

“Coming on the heels of last month’s WannaCry outbreak, the insights in the report serve as a wakeup call that not everyone is using the most secure version of available software,” Synopsys security strategist Robert Vamosi said. “The update process does not end at the time of software release, and an ongoing pattern of software updates must be implemented throughout the product lifecycle.”

“As new CVEs are disclosed against open source software components, developers need to know whether their products are affected, and organizations need to prevent the exploit of vulnerabilities with the latest versions when they become available,” Vamosi added.

Struggles with Patch Management

Still, recent research conducted by Vanson Bourne found that companies are struggling to stay on top of patches and updates.

The survey of 500 CISOs from the U.S., U.K. and Germany, sponsored by Bromium, found that 53 percent of respondents said crisis patch management is a major disruption to their IT and security teams.

Enterprises have to issue an emergency patch an average of five times a month, with each case requiring an average of 13 hours of work to fix.

Over half of respondents have had to pay overtime or bring in a third party team to issue patches or deal with a security issue, at an average cost of $19,908 per patch.

“We can see with the recent WannaCry outbreak — where an emergency patch was issued to stop the spread of the worm — that enterprises are still having to paper over the cracks in order to secure their systems,” Bromium CTO and co-founder Simon Crosby said in a statement. “The fact that these patches have to be issued right away can be hugely disruptive to security teams, and often very costly to businesses, but not doing so can have dire consequences.”

“WannaCry has certainly shined a spotlight on a problem that has plagued enterprises for years,” Crosby added. “It is simply impractical to expect enterprise organizations to continually upgrade — even when they have licenses, the actual deployment creates huge disruption, or in some instances would require an entire hardware refresh and result in huge upfront capital costs.”

Get the Free Cybersecurity Newsletter

Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Jeff Goldman Avatar

Subscribe to Cybersecurity Insider

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.

Top Cybersecurity Companies

Top 10 Cybersecurity Companies

See full list

Get the Free Newsletter!

Subscribe to Cybersecurity Insider for top news, trends & analysis