88 Percent of Java Apps Susceptible to Widespread Attacks [source: itsecurityguru]
Veracode, Inc., a leader in securing the world’s software, and acquired by CA Technologies (NASDAQ:CA), today announced findings from the 2017 State of Software Security Report, a comprehensive review of application security testing data from scans conducted by CA Veracode’s base of more than 1,400 customers. Among other industry trends such as vulnerability fix rates and percent of applications with vulnerabilities, the report exposes the pervasive risk from vulnerable open source components. The CA Veracode report found that 88 percent of Java applications contain at least one vulnerable component, making then susceptible to widespread attacks. This is in part because fewer than 28 percent of companies conduct regular composition analysis to understand which components are built into their applications.
“The universal use of components in application development means that when a single vulnerability in a single component is disclosed, that vulnerability now has the potential to impact thousands of applications – making many of them breachable with a single exploit,” said Chris Wysopal, CTO, CA Veracode.
Over the past 12 months, several high-profile breaches in Java applications were caused by widespread vulnerabilities in open source or commercial components. One example of a widespread component vulnerability was the “Struts-Shock” flaw disclosed in March 2017. According to the analysis, 68 percent of Java applications using the Apache Struts 2 library were using a vulnerable version of the component in the weeks following the initial attacks.
This critical vulnerability in the Apache Struts 2 library enabled remote code execution (RCE) attacks using command injection, for which as many as 35 million sites were vulnerable. Using this pervasive vulnerability, cybercriminals were able to exploit a range of victims’ applications, most notably the Canada Revenue Agency and the University of Delaware.
The 2017 State of Software Security Report also shows that approximately 53.3 percent of Java applications rely on a vulnerable version of the Commons Collections components. Even today, there are just as many applications using the vulnerable version as there were in 2016. The use of components in application development is common practice as it allows developers to reuse functional code – speeding up the delivery of software. Studies show that up to 75 percent of a typical application’s code is made up of open source components
For more, click here.