Report discusses how Java apps are susceptible to widespread attacks from known security defects
A recently released study conducted by CA Veracode has found that the majority of Java applications contain at least one vulnerable component, making them predisposed to widespread attacks.
The research, titled “2017 State of Software Security Report” - which involved CA Veracode’s base of more than 1,400 customers – revealed that less than 28% of companies conduct regular composition analysis to understand which components are built into their applications.
There were many high-profile security breaches in Java applications that were caused by widespread vulnerabilities in open source and commercial components. This happened during the past 12 months. The "Struts-Shock" flaw is one such example which occurred in March 2017. According to the analysis, 68% of Java applications using the Apache Struts 2 library were using a vulnerable version of the component in the weeks following the initial attacks. This was a critical exposure in the Apache Struts 2 library which enabled remote code execution (RCE) attacks using command injection, for which as many as 35 million sites were vulnerable.
Elsewhere, a report from Flexera warns about more such cyberattacks and breaches that are likely to be seen in the months and years to come. Over 400 software suppliers, IoT manufacturers and in-house development teams were surveyed to publish the report titled “Open Source Risk – Fact or Fiction?”
Though software suppliers are able to quickly build products with the help of open source software (OSS), the report reveals some hidden software supply chain risks all software suppliers and IoT manufacturers should know about. For example, criminals who potentially gained access to the personal data of the Equifax customers exploited an Apache Struts CVE-2017-5638 vulnerability. Apache Struts is a widely used open source component – a framework for Web servers – used by companies in commercial and in-house systems to take in and serve up data.
Jeff Luszcz, vice president of product management at Flexera, says: “We can’t lose sight that open source is indeed a clear win. Ready-to-go code gets products out the door faster, which is important given the lightning pace of the software space. However, most software engineers don’t track open source use, and most software executives don’t realize there’s a gap and a security/compliance risk.”