Research shows reliance on open source components can be risky

by in Security

Vulnerabilities in Open Source Dependencies

Research shows reliance on open source components can be risky.pngComponent management is an important aspect of secure software development. In the 2019 Application Security Risk Report, we analyzed the third party component usage in applications scanned using Fortify on Demand technologies and our Sonatype partnership. Our sample consists of 874 CVEs reported across 586 libraries that are refer­enced across 1,250 applications that were analyzed between October 31, 2017 and October 30, 2018.

Here are some of the top takeaways from that research. 

Open source components were referenced in all applications in our dataset, with 60% of applications referencing more than 75% of their components from open source.

Application Security Risk Report 1.png

More than 95% of CVEs reported in referenced libraries have a Sonatype threat level of severe or critical (CVSS base score >4.0). More noticeably, the fraction of critical CVEs almost doubled from 27% to 55% as compared to 2017. 

Application Security Risk Report 2.png

Here we can see that 87% of the applications inherit a critical severity vulnerability from referenced components. This number is up by 22% since 2017.

Application Security Risk Report 3.png

Another observation from the analyzed data is that most CVEs affecting applications so far this year were disclosed in 2017.Considering that there is an unknown time period between discovery of a security issue and its public disclosure, the number of CVEs disclosed in 2018 can still grow higher this year. 

Application Security Risk Report 4.png

 Your SCA just needs a little bit of SCA

The overall conclusion shows that getting software component analysis (SCA) and static code analysis (SCA) to play hand-in-hand requires a two-step process:

  • Software component analysis reports should analyze the information provided by the vendors and digest it in such a way that clearly specifies what is the underlying vulnerability and how could it affect an application.
  • Static code analysis needs to be able to provide a customizable way to write checks for the information provided in step 1. 

This is part of a blog series pulling out some of the insights from The 2019 Application Security Risk Report. Part one highlighted the 2019 AppSec Risk Report Key Takeaways and part two discussed publicly-disclosed security issues reaching the highest level ever recorded. Part three pointed out that research shows that severe weaknesses are prevalent in a majority of applications. Part four discusses how the research shows reliance on open source components can be risky. Check out the blogs and the report and share your feedback below.


About Micro Focus Fortify

Fortify offers an end-to-end application security solution that secures and protects code throughout the entire development lifecycle of any type of software—from development to testing, release to production and every iteration in between. Fortify static, dynamic, interactive, and runtime security testing technologies are available on premise or on demand, offering organizations the flexibility needed to build an end-to-end software security assurance program.


Application security