Sign In

Communications of the ACM

ACM TechNews

Open Source Code Libraries Seen as Rife With Vulnerabilities


View as: Print Mobile App Share: Send by email Share on reddit Share on StumbleUpon Share on Hacker News Share on Tweeter Share on Facebook
Open source code

Credit: gfsa.wordpress.com

Open source code libraries have a significant number of security vulnerabilities, according to an Aspect Security study that analyzed 113 million software downloads from Sonatype's Central Repository of more than 30 Java frameworks and security libraries over the previous 12 months.

The researchers found that 26 percent of the library downloads had known security flaws, including flaws that existed in Spring, an application development framework for Java. The vulnerabilities, which existed in Spring's use of Expression Language, could be exploited by attackers using HTTP parameter submissions to obtain sensitive system data as well as application and user cookies. Other vulnerabilities varied from flaws that could be used to completely take over the host using the library to flaws that could result in the loss or corruption of data if attacked. In addition, the researchers found that the most popular vulnerable open source libraries were Google Web Toolkit, Apache Xerces, Spring MVC, and Struts 1.x.

The study noted that developers do not currently have any means for knowing whether or not the open source libraries they use contain vulnerabilities, aside from closely watching mailing lists, blogs, and online forums.

From Network World
View Full Article

Abstracts Copyright © 2012 Information Inc. External Link, Bethesda, Maryland, USA 


 

No entries found