Code repositories are spreading vulnerable components

Jul 17, 2016 23:50 GMT  ·  By

The company that provides hosting services for the Maven Central Repository says that one in sixteen downloads is for a Java component that contains a known security flaw.

Sonatype claims that developers usually download 31 billion Java components per year, with over 1,000 new components and over 10,000 new component versions created daily.

Companies nowadays employ managed central component repositories for storing their code. While some use private projects, more use open-sourced code, which in some cases they download and import in their projects without proper security audits.

Sonatype estimates that between 80 and 90 percent of today's enterprise code is actually made up of open source components, imported from public repositories.

Because security vulnerabilities are public, and because Sonatype has access to the server statistics, it is, more than anyone else, in a position to warn developers about the dangers of using insecure or outdated components inside their code.

This warning is twice as important for companies, since if an attacker compromises an application created with the vulnerable components, the results can have a deep economic impact.

Older components have a 3x higher rate of vulnerabilities

After a study of 3,000 organizations and over 25,000 enterprise applications from several industries, Sonatype informs us that a company downloads about 5,000 unique components each year.

The older the components, the higher the chance to contain a security vulnerability. Even worse, 97 percent of all downloaded components cannot be easily tracked or audited.

If a company wanted to fix 10 percent of the security bugs in 2,000 applications, it would need a budget of $7.42 million.

These issues introduce the need to manage the software supply chain in order to avoid future vulnerabilities. The time lost during security audits for components before being added to a project can be gained later, when dealing with security bugs.

Removing the vulnerable components from such centrally managed code repositories should also become a top priority for the communities behind these projects.

The State of the Software Supply Chain Report contains more information about the state of today's software supply chain.

Sonatype report findings
Sonatype report findings

Photo Gallery (2 Images)

1 in 16 Java downloads is for a compromised component
Sonatype report findings
Open gallery