Components Becoming Major Source Of CVEs

Earlier today Sonatype released the results of  their annual survey. The survey looks at the extent to which developers use open source components, with a particular focus on how they balance the competing needs of speed and security. The data makes it clear that security is very often not the priority.

The results of the survey show the massive extent to which developers now rely on components. Of course, this has been the case for many years, but the full maturation of the concept of component assembly rather than code writing is well illustrated here.

The more concerning figures to rise out of this study are those relating to security procedures. Again, for many developers it will come as no surprise to hear that well conceived open source policies are scarce and that security vulnerabilities are not made a big deal of in many companies. Yet custom analysis Sonatype performed at out request showed that things may be worse than even they believe. Sonatype investigated exclusively for us and found that the number of serious software vulnerabilities (CVEs) arising from components has rocketed in recent years.

Component CVE Chart

Seeing those facts displayed graphically like this, in direct association with actual practices, encourages a sense of urgency on this question. What practices do we need to put in place to keep on top of the security of our projects in the age of components? Sonatype have provided one answer to that question, with a series of good practice suggestions at the end of their survey.

For more discussion, see our article in InfoWorld today.

One thought on “Components Becoming Major Source Of CVEs

  1. Pingback: Links 3/5/2013: Ubuntu 13.04 Release, Jolla Has New Management, News Catchup | Techrights

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s