Thursday, 7 April 2016

Third-party libraries are one of the most insecure parts of an application

Much has been written to guide software developers on how to develop secure software. Despite this general awareness, we continue to see vulnerable software produced. One of the observations in the HPE Cyber Risk Report 2016 is that attackers have shifted their focus from servers and operating systems directly to applications.They see this as the easiest route to accessing sensitive enterprise data and are doing everything they can to do that—including exploiting third-party software components. After all, an attacker looks for any application weakness to gain access to an organization’s sensitive data and doesn’t care how it got there.

Let’s look at some of the research around third-party library security and some of the strategies and tools you can use to mitigate these risks.

Fast dev times, for a price

All categories of applications tend to use third-party libraries to accelerate the development process. Based on analysis of the Central Repository (one of the largest open source code repositories), Sonatype estimatesthat 90 percent of all software development requires the downloading of components. While most critical vulnerabilities in third-party libraries are disclosed as Common Vulnerabilities and Exposures (CVEs), it is disconcerting to note that the applications that use them are not updated in a timely manner. Also, CVEs do not represent all of the vulnerabilities found in third-party software, and other unidentified weaknesses may exist.

HPE Cyber Risk Report 2016

A great example of this is the significant security flaw researchers recently discovered in the GNU C Library. A domain-name lookup function known as getaddrinfo() contains a buffer overflow vulnerability that could cause a system crash or allow attackers to remotely execute malicious code (CVE-2015-7547). This vulnerability went undiscovered for seven years and unfixed for seven months following its initial report in July.

 

To Read More , Click Herehttp://ift.tt/1RZqBIh



from cyber security caucus http://ift.tt/1oFEi4o
via IFTTT

No comments:

Post a Comment