One Article Review
| Source |  Veracode |
|---|---|
| Identifiant | 2103312 |
| Date de publication | 2020-10-01 14:10:28 (vue: 2020-12-15 21:05:43) |
| Titre | 96% of Organizations Use Open Source Libraries but Less Than 50% Manage Their Library Security Flaws |
| Texte |  Most modern codebases are dependent on open source libraries. In fact, a recent research report sponsored by Veracode and conducted by Enterprise Strategy Group (ESG) found that more than 96 percent of organizations use open source libraries in their codebase. But ??? shockingly ??? less than half of these organizations have invested in specific security controls to scan for open source vulnerabilities.
Why is it important to scan open source libraries?
For our State of Software Security: Open Source Edition report, we analyzed the security of open source libraries in 85,000 applications and found that 71 percent have a flaw. The most common open source flaws identified include Cross-Site Scripting, insecure deserialization, and broken access control. By not scanning open source libraries, these flaws remain vulnerable to a cyberattack. ツ?ツ?ツ?
Equifax made headlines by not scanning its open source libraries. In 2017, Equifax suffered a massive data breach from Apache Struts which compromised the data ??? including social security numbers ??? of more than 143 million Americans. Following the breach, Equifax's stock fell over 13 percent. The unfortunate reality is that if Equifax performed AppSec scans on its open source libraries and patched the vulnerability, the breach could have been avoided. ツ?
Why aren???t more organizations scanning open source libraries?
If 96 percent of organizations use open source libraries and 71 percent of applications have a third-party vulnerability, why is it that less than 50 percent of organizations scan their open source libraries? The main reason is that when application developers add third-party libraries to their codebase, they expect that library developers have scanned the code for vulnerabilities. Unfortunately, you can???t rely on library developers to keep your application safe. Approximately 42 percent of the third-party code pulled directly by an application developer has a flaw on first scan. And even if the third-party code appears to be free of flaws, more than 47 percent of third-party code has a transitive flaw that???s pulled indirectly from another library in use.
What are your options for managing library security flaws?
First off, it???s important to note that most flaws in open source libraries are easy to fix. Close to 74 percent of the flaws can be fixed with an update like a revision or patch. Even high priority flaws are easy to fix ??? close to 91 percent can be fixed with an update.
So, when it comes to managing your library security flaws, the concentration should not just be, ???How |
| Envoyé | Oui |
| Condensat | 000 143 2017 able about access add addition agent also americans analysis analyzed another apache appears application applications approximately appsec are aren avoided because been breach broken but can close code codebase codebases come comes command common composition compromised concentration conducted control controls could cross cyberattack data database deep delivers dependencies dependent deserialization developer developers development directly download earlier easy edition enterprise equifax esg even every expect fact fast feedback fell find first fix fixed flaw flaws following found free from get going group grow half handy has have headlines high how ide identified important include including indirectly insecure integrate introduced invested its just keep known language layers learn learning less libraries library like line machine made main makes manage managing massive million mining modern more most national natural new not note numbers nvd off only open options organizations other over party patch patched percent performed pipeline priority processing pulled reality reason recent recommendations rely remain report reports research results revision safe same sca scan scanned scanning scans scripting seconds security security: several shockingly should significantly simple site social software source specific sponsored state statistics stock strategy struts suffered than these third through tool tools transitive trends uncover unfortunate unfortunately unreported update updating use using veracode version vulnerabilities vulnerability vulnerable what when where which why your |
| Tags | Data Breach Tool Vulnerability |
| Stories | Equifax |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.