"That’s because more than 80 percent of software applications built in-house by enterprise developers incorporate open source components and frameworks that may be vulnerable," writes ZDNet's Paula Rooney.
"In a joint effort, Sonatype and Aspect Security tallied more than 46 million downloads of out-of-date versions of 31 of the most popular open-source libraries and web frameworks," writes The Register's Gavin Clarke. "One in three of the most popular components were downloaded with holes despite the existence of new versions complete with security fixes."
"The report, which analyzed code downloaded from a popular collection of open source components known as the Central Repository, found that a large number of development organizations, including half of Global 100 financial firms, used vulnerable libraries from the repository," writes InfoWorld's Robert Lemos.https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i
"The most downloaded vulnerable library was [Google Web Toolkit]; only a minority of downloads contained no known vulnerabilities," The H Security reports.
"Our analysis points to critical gaps in the open-source component ecosystem -- a lack of visibility and control compounded by the lack of a centralized update notification infrastructure," Sonatype CEO Wayne Jackson said in a statement. "Every day, mission-critical applications are compromised by malicious exploit, yet as this analysis shows, organizations have no clear view into component usage."
"The troublesome nature of the situation becomes even clearer when you consider the viral nature of the open source component ecosystem," notes CSO Online's Thor Olavsrud. "A single open source component can be reused in dozens or even hundreds of other components, meaning that a flaw in that component will then be inherited by every component that depends on it."