CIO Influence
CIO Influence News Networking Security

Osterman Research Software Supply Chain Study Finds 100 Percent of Commercial Applications

Osterman Research Software Supply Chain Study Finds 100 Percent of Commercial Applications
Results Show Hidden Vulnerabilities in Browsers, Email, File Sharing, Online Meeting and Messaging Tools Put Organizations at Significant Risk of Cyberattacks

GrammaTech, a leading provider of application security testing products and software research services, released the findings of a study conducted by Osterman Research into the state of software supply chain security. The report found that 100% of commercial off the shelf (COTS) applications tested contained open source components with security vulnerabilities, among those 85% were critical.

Recommended ITech News:  Google Cloud Region Goes Live in Delhi NCR in India

.@GrammaTech Osterman Research Software Supply Chain Study Finds 100 Percent of Commercial Applications Contain Vulnerable Software Components that Put Organizations at Significant Risk of Cyberattacks

Of the most popular browser, email, file sharing, online meeting and messaging products tested, 85% contained at least one critical vulnerability with a 10.0 CVSS (Common Vulnerability Scoring System) score—the highest possible. Meanwhile, 30% of all open-source components across all the applications tested, contained at least one vulnerability or security flaw that has been assigned a CVE (Common Vulnerabilities and Exposures) identifier.

“Commercial off-the-shelf software applications often include open-source components, many of which contain a range of known vulnerabilities that can be exploited by malware, yet vendors often do not disclose their presence,” said Michael Sampson, senior analyst, Osterman Research. “This lack of visibility into deployed and to be deployed applications is essentially a time bomb that increases an enterprise’s security risk, attack surface and potential for compromise by cyber criminals.”

Recommended ITech News: Protiviti Offers Innovative Ransomware Service to Help Companies Combat Disruptive Attacks

A complete copy of the report is available here. GrammaTech and Osterman Research will also host a free webinar on the research findings on Sep 15 at 2:00 pm EDT. Register here for Exposing Software Supply Chain Security Blind Spots.

Survey Highlights

The study evaluated widely used client-based COTS software products in five categories (web browsers, email, file sharing cloud storage, online meeting and messaging) for the presence of open source components and whether they contained security vulnerabilities. Some the key findings were:

  • Online Meeting and Email Most Vulnerable
    Applications in the online meetings and email client categories contained the highest average weighting of vulnerabilities. Given the widespread usage of these tools, organizations should better understand their security attack surface and the potential for compromise.
  • Open-Source Components Widely Used
    All applications analyzed contained open-source components. On average, 30% of all open-source components contained at least one vulnerability or security flaw that has been assigned a CVE identifier.

Recommended ITech News: Optiv Security Launches Next-Gen Managed XDR to Stop Threats Earlier in Attack Lifecycle, Minimize Business Impact

  • Components with Critical Vulnerabilities Commonly Used
    All but three of the applications in the study included at least one critical vulnerability with the highest possible CVSS score (10.0). The near ubiquitous usage of such vulnerable components rendered comparisons between applications on this basis meaningless as all applications are seen as vulnerable.
  • Newer Versions of Components Not More Secure
    Several components presented with multiple versions across the tested applications, but newer versions were not always more secure, either as measured by the number of vulnerable components used or the weighted score of vulnerabilities in each component.
  • Highest Risk Components
    Of the components identified across the applications analyzed, two versions of the firefox open-source component (not the browser itself) contributed 75.8% of all CVEs. In second place, 16 versions of openssl had a combined 9.6% of the CVEs, and two versions of libav represented 8.3% of the CVEs.

“Most organizations trust suppliers to keep their software free of defects. As this survey shows, companies need to conduct their own quality control to verify the security of purchased software,” said Vince Arneja, Chief Product Officer for GrammaTech. “Maintaining an up to date software bill of materials that details software components and their associated vulnerabilities is the first step in being able to understand and mitigate security vulnerabilities in commercial software applications both before and after they are implemented.”

Recommended ITech News: Epiphany Systems Announces Strategic Partnership with Armis to Identify Critical Attack Paths Across OT and IT Environments

Related posts

Eclypsium Launches Supply Chain Security Platform for Enterprise Infrastructure

Business Wire

Sumo Logic to Scale SecOps for Modern Enterprises with Wave of New Innovations Built on Leading Log Analytics Platform

GlobeNewswire

Cloud Security Innovator Dustin Webber Joins NetAbstraction as CSO

Leave a Comment