This is one of the CA VeraCode published report State of Software Security (SOSS) 2017. Thus, 88% of applications contain at least one vulnerable component. 53 percent of Java applications to build even on a component, which is a gap with the CVE ID vulnerable.
The use of Open-Source components for Java applications brings with it some significant risks. This basically affects thousands of daily-used programs. This is from the current edition of the State of Software Security (SOSS) 2017 by CA VeraCode.
The report of the in the spring of CA Technologies acquired specialists, according to the Java applications are in 88 percent of one or more of the components used for attacks. And 53 percent of Java applications based even on Code that already in the CVE-chess database captured gap’s.
The reason is the frequent, especially the re-use of Java components. As a result, the developers move faster and make your work easier. According to the CA Veracode can put together up to 75 percent of an application’s code of Open Source components. There is also the risk that contained or discovered vulnerabilities elsewhere in the components used are not closed-but – either because there is not more to you is meant to be or because they are not known.
This is also the CA VeraCode staff and silicon has already recently.de-Blogger Julian Totzek-hall Huber pointed out. Not only for developers, will make the work easier for cyber criminals: “If a single Open-Source component found in thousands of applications have their place, must not planned an attack for each individual Software and be done, but only the component used to target. Thousands of applications at a stroke,” says Totzek-Hallhuber in silicon.de.
His company refers, in the context of the problems in the spring made available a Patch for Apache Struts. Since the gap has not been closed in all of the programs immediately, the use of this block, there were an estimated between 30 and 35 million sites about it vulnerable to attack.
The eighth edition of the Veracode report is based on over 400,000 Code-analysis, and to 250 billion studied lines of Code. In the last twelve months, 12.8 million error had been discovered as a result. According to the report, only 28 percent of companies perform an analysis to identify the building blocks of your Software and to keep in view. For this task, CA VeraCode has been offering its tools and services.
Github and Black Duck active
The competition has been getting recently from Github. The platform allows to determine the current, at least in the case of applications based on Javascript and Ruby dependencies of various components, and to identify new and even security vulnerabilities in the program components.
Already active for a longer time, the U.S. company Black Duck is in the area. The can identify with its technology also used the Open-Source Code and its correct mapping to automate. As a result, only known security gaps reveal, but also to license issues. Such skills are also displays of the purchase of Black Duck by Synopsys. The buyer who can offer security testing of Software in General, as well as integrated Circuits, paid for the additional Expertise and technology 565 million dollars. The transaction is expected to be in the course of the year 2017 completed.
