Open-source application security flaws: What you should know and how to spot them


Open-source software helped to revolutionize the way that applications are built by professionals and enthusiasts alike. Being able to borrow a non-proprietary library to quickly prototype and build an application not only accelerates progress in projects, but also makes things easier to work with.

Open-source libraries when creating applications is not the only positive aspect of open-source software. Finished open-source applications are everywhere on the internet. Almost every commercial version of software has an open-source competitor that performs almost the same functions, making open-source programs very popular and in most cases, free.

AWS Builder Community Hub

This popularity has led to an uptick in open-source software usage. This is great if the software project you have chosen has used proper security practices when writing the application, but if any security flaws went unnoticed, then the end user may have a problem. Veracode recently revealed that out of 85,000 applications that it scanned for, 70% had vulnerabilities present. This means that many of the seemingly harmless applications that you have been using might not be as safe as you thought.

What are security vulnerabilities?

The term “security vulnerability” gets used a lot in the modern world of software design, and with good reason. Almost everything is connected and programmed to communicate over the internet these days, which means that if your application has a security vulnerability then you might have unwanted people connecting to your system, intercepting your data or infecting your computer and network with malware.

Not all applications are created equal, though. The report says that JavaScript applications seem to lean the most on third-party and open-source libraries. Many attack vectors can be used with JavaScript, and this massive reliance on so many libraries is definitely a concern. But that is not to say that JavaScript is the only offender.

That same (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Graeme Messina. Read the original post at: