One Article Review
| Source |  Veracode |
|---|---|
| Identifiant | 2399323 |
| Date de publication | 2021-02-24 13:30:31 (vue: 2021-02-25 18:05:30) |
| Titre | Dangers of Only Scanning First-Party Code |
| Texte |  When it comes to securing your applications, it???s not unusual to only consider the risks from your first-party code. But if you???re solely considering your own code, then your attack surface is likely bigger than you think.
Our recent State of Software Security report found that 97 percent of the typical Java application is made up of open source libraries. That means your attack surface is exponentially larger than just the code written in-house. Yet a study conducted by Enterprise Strategy Group (ESG) established that less than half of organizations have invested in security controls to scan for open source vulnerabilities.
If the majority of applications are made up of open source libraries, why are most organizations only scanning their first-party code? Because most organizations assume that third-party code was already scanned for vulnerabilities by the library developer. But you can???t base the safety of your applications on assumptions. Our State of Software Security: Open Source Edition report revealed that approximately 42 percent of the third-party code pulled directly by an application developer has a flaw on first scan. And even if the third-party code appears to be free of flaws, more than 47 percent of third-party code has a transitive flaw that???s pulled indirectly from another library in use.
Over the years, several organizations have learned the hard way just how dangerous it is to only scan first-party code.
In 2014, the notorious open source vulnerability ??? Heartbleed ??? occurred. Heartbleed was the result of a flaw in OpenSSL, a third-party library that implemented the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. The vulnerability enabled cyberattackers to access over 4.5 million healthcare records from Community Health Systems Inc.
In 2015, there was a critical vulnerability in Glibc, a GNU C library. The open source security vulnerability nicknamed ???Ghost,??? affected all Linux servers and web frameworks such as Python, PHP, Ruby on Rails as well as API web services that use the Glibc library. The vulnerability made it possible for hackers to compromise applications with a man-in-the-middle attack.
In 2017, Equifax suffered a massive data breach from Apache Struts which compromised the data ??? including social security numbers ??? of more than 143 million Americans. Following the breach, Equifax's stock fell over 13 percent.
On the good news front: Close to 74 percent of open source flaws can be fixed with an update like a revision or patch. Even high-priority open source flaws don???t require extensive refactoring of code ??? close to 91 percent can be fixed with an update. Equifax had to pay up to $425 million to help people affected by the data breach that the court deemed ???entirely preventable.??? In fact, it was discovered that the breach could have been avoided with a simple patch to its open source library, Apache Struts.
Don???t become a victim to the monsters lurking in your third-party libraries. Download our whitepaper Accelerating Software Development with Secure Open Source So |
| Envoyé | Oui |
| Condensat | $425 143 2014 2015 2017 accelerating access affected all already americans another apache api appears application applications approximately are assume assumptions attack avoided base because become been bigger breach but can close code comes community compromise compromised conducted consider considering controls could court critical cyberattackers dangerous dangers data deemed developer development directly discovered don download edition enabled enterprise entirely equifax esg established even exponentially extensive fact fell first fixed flaw flaws following found frameworks free from front: ghost glibc gnu good group hackers had half hard has have health healthcare heartbleed help high house how implemented inc including indirectly invested its java just larger layer learn learned less libraries library like likely linux lurking made majority man massive means middle million monsters more most news nicknamed not notorious numbers occurred only open openssl organizations over own party patch pay people percent php possible preventable priority protocols pulled python rails recent records refactoring report require result revealed revision risks ruby safety scan scanned scanning secure securing security security: servers services several simple social sockets software solely source ssl state stock strategy struts study such suffered surface systems than then think third tls transitive transport typical unusual update use victim vulnerabilities vulnerability way web well when which whitepaper why written years yet your |
| Tags | Data Breach Vulnerability |
| Stories | Equifax Equifax |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.