Open-source components with known security vulnerabilities are still widely used.

Source: Internet
Author: User
Tags sonatype

Open-source components with known security vulnerabilities are still widely used.
GuideSonatype, which provides Maven's central repository hosting service, says 1/16 of Java component downloads contain security issues. Sonatype claims that developers need to download more than 31 billion Java components each year, and more than 10 thousand new components and more than new components are added each day.

Enterprises now use a managed central component repository to store their code. Some of the Code comes from private projects, while others come from open-source code. In most cases, they just download open-source code and import it to their projects, do not perform necessary security audits.
Sonatype found that 8% and 90 of enterprise code are composed of open-source components, which are directly imported from open-source code.


Because these security defects are public, and Sonatype is able to access the server statistics of its managed services, it will get more data than others, therefore, they warn developers to pay attention to the risks of using insecure or expired components in their code.
This warning is even more serious for companies, because if attackers attack Applications created using defective components, the results may lead to more economic losses.

The defect rate of older components is as high as three times

After analyzing more than three thousand enterprise applications from 25,000 institutions in several different industries, Sonatype finds that every enterprise downloads about five thousand different components every year.
The older the component, the more likely it will contain security defects. Even worse, 97% of downloaded components cannot be easily tracked and audited. If the company only wants to fix two thousand of the 10% applications, it will require a huge investment of about $7.42 million.
These problems indicate that enterprises need to manage the software supply chain to avoid future defects. The time spent on the component security audit will be rewarded after the project has security vulnerabilities.
Removing defective components from this managed central code repository should also be the highest priority for the communities behind these projects.
The software supply chain report contains more information about today's software supply chain.

From: https://linux.cn/article-7594-1.html

Address: http://www.linuxprobe.com/components-vulnerabilities.html


Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.