Information Security News mailing list archives
Open source code libraries seen as rife with vulnerabilities
From: InfoSec News <alerts () infosecnews org>
Date: Tue, 27 Mar 2012 02:07:18 -0500 (CDT)
http://www.networkworld.com/news/2012/032612-open-source-vulnerabilities-257645.html By Ellen Messmer Network World March 26, 2012A study of how 31 popular open-source code libraries were downloaded over the past 12 months found that more than a third of the 1,261 versions of these libraries had a known vulnerability and about a quarter of the downloads were tainted.
The study was undertaken by Aspect Security, which evaluates software for vulnerabilities, with Sonatype, a firm that provides a Central Repository housing more than 300,000 libraries for downloading open-source components and gets 4 billion requests per year.
"Increasingly over the past few years, applications are being constructed out of libraries," says Jeff Williams, CEO of Aspect Security, referring to "The Unfortunate Reality of Insecure Libraries" study. Open-source communities have done little to provide a clear way to spotlight code found to have vulnerabilities or identify how to remedy it when a fix is even made available, he says.
"There's no notification infrastructure at all," says Williams. "We want to shed light on this problem."
[...] ______________________________________________________________________________ Certified Ethical Hacker and CISSP training with Expanding Security gives the best training and support. Get a free live class invite weekly. Best program, best price. www.ExpandingSecurity.com/PainPill
Current thread:
- Open source code libraries seen as rife with vulnerabilities InfoSec News (Mar 27)