TMCnet News
Osterman Research Software Supply Chain Study Finds 100 Percent of Commercial Applications Contain Vulnerable Software ComponentsGrammaTech, a leading provider of application security testing products and software research services, today released the findings of a study conducted by Osterman Research into the state of software supply chain security. The report found that 100% of commercial off the shelf (COTS) applications tested contained open source components with security vulnerabilities, among those 85% were critical. Of the most popular browser, email, file sharing, online meeting and messaging products tested, 85% contained at least one critical vulnerability with a 10.0 CVSS (Common Vulnerability Scoring System) score-the highest possible. Meanwhile, 30% of all open-source components across all the applications tested, contained at least one vulnerability or security flaw that has been assigned a CVE (Common Vulnerabilities and Exposures) identifier. "Commercial off-the-shelf software applications often include open-source components, many of which contain a range of known vulnerabilities that can be exploited by malware, yet vendors often do not disclose their presence," said Michael Sampson, senior analyst, Osterman Research. "This lack of visibility into deployed and to be deployed applications is essentially a time bomb that increases an enterprise's security risk, attack surface and potential for compromise by cyber criminals." A complete copy of the report is available here. GrammaTech (News - Alert) and Osterman Research will also host a free webinar on the research findings on Sep 15 at 2:00 pm EDT. Register here for Exposing Software Supply Chain Security Blind Spots. Survey Highlights The study evaluated widely used client-based COTS software products in five categories (web browsers, email, file sharing cloud storage, online meeting and messaging) for the presence of open source components and whether they contained security vulnerabilities. Some the key findings were:
"Most organizations trust suppliers to keep their software free of defects. As this survey shows, companies need to conduct their own quality control to verify the security of purchased software," said Vince Arneja, Chief Product Officer for GrammaTech. "Maintaining an up to date software bill of materials that details software components and their associated vulnerabilities is the first step in being able to understand and mitigate security vulnerabilities in commercial software applications both before and after they are implemented." Methodology GrammaTech used its CodeSentry product to identify the presence of open-source components in the binary packaging of the most widely used software applications. The output reports for each application were supplied in PDF format to Osterman Research. The applications analyzed were grouped into the following five categories:
About GrammaTech GrammaTech is a leading global provider of application security testing (AST) solutions used by the world's most security conscious organizations to detect, measure, analyze and resolve vulnerabilities for software they develop or use. The company is also a trusted cybersecurity and artificial intelligence research partner for the nation's civil, defense, and intelligence agencies. GrammaTech has corporate headquarters in Bethesda MD, a Research and Development Center in Ithaca NY, and publishes Shift Left Academy, an educational resource for software developers. Visit us at https://www.grammatech.com/, and follow us on LinkedIn and Twitter. CodeSonar® and CodeSentry® are registered trademarks of GrammaTech, Inc.
View source version on businesswire.com: https://www.businesswire.com/news/home/20210804005066/en/ |