Survey: Software Supply Chain Full of Bugs
The downside to the vibrant open source software sector is a supply chain rife with security vulnerabilities and clogged with outdated versions of widely used software components, a new report warns.
The survey released Friday (June 9) by chip design specialist Synopsys Inc. (Nasdaq: SNPS) found that widely publicized vulnerabilities such as the Heartbleed bug persist in commonly used third-party software. The company said Heartbleed appeared in the majority of all "common vulnerabilities and exposures" it uncovered, even though a patch has been available since 2014.
"Over time, vulnerabilities in third-party components are discovered and disclosed, leaving a previously secure software package open to exploits," noted Andreas Kuehlmann, general manager of the Synopsys Software Integrity Group.
"The message to the software industry should not be whether to use open source software, but whether you are vigilant about keeping it updated to prevent attacks," Kuehlmann added.
The survey also uncovered vulnerabilities in open-source software dating as far back as 1999. Nearly half of all bugs date back to 2013 or earlier.
The cat-and-mouse game played by hackers and security experts was highlighted again last month during a global ransomware outbreak called WannaCry. The stakes appear to be higher as more distributions of open-source software hit the market, observers warn.
"The update process does not end at the time of software release, and an ongoing pattern of software updates must be implemented throughout the product lifecycle," added Robert Vamosi, a security strategist at Synopsys.
Synopsys and other intellectual property and software licensors are pitching a variety of products designed to keep up with software security updates. For example, software-licensing vendor Flexera Software last fall acquired Palamida Inc., which specializes in identifying vulnerable software components.
Flexera said the acquisition would expand its software license compliance business to include security monitoring in the "under-managed world" of open source software components.
In response to the growing number of software vulnerabilities and exploits, the Linux Foundation launched a secure coding effort in response to the Heartbleed attack called the Secure Infrastructure Initiative. Linus Torvalds, the father of the Linux kernel, has acknowledged that most of the security issues related to open source development have been "completely stupid bugs that no one really would have thought of as having security issues."
During 2016, Synopsys said it analyzed more than 128,700 software applications and identified 16,868 unique versions of open source and commercial software components containing nearly 10,000 unique security vulnerabilities. In most cases, a more secure version of a software component was available, it added.
Among the most common software components with outdated versions still being used were: Curl, Dropbear, Expat, libjpeg-turbo, libjpeg, libpng Linux Kernal, Lua, OpenSSL and Pcre.
"If they are not updated, these software components may leave products vulnerable," the company warned.