Today we published a paper with Aspect Security, and it's a shocking look at how few people are paying attention to application security. If you consume dependencies from the Central Repository and you don't want to get hacked, I'd suggest reading the report and understanding some of the challenges, I'd also check out some of these statistics. Here are three that jumped out at me:
- Global 500 organizations downloaded more than 2.8 million insecure components in one year.
- Financial services firms are the most exposed: Global 100 financial services firms alone downloaded more than 567,000 insecure components in one year.
- 48% (a little under half) of organizations don't have an inventory of Open source software used in production. (If there's a new vulnerability discovered in something like GWT, who knows if we have that in production.)
To access the executive brief, "Addressing Security Concerns in Open-Source Components," visit www.sonatype.com/securitybrief. You can follow the conversation on Twitter using the hashtag #OSSsecurity.
NOTE: Now, Developers, I know what you are thinking, you see the word "Executive Brief" and immediately dismiss this as C-level corporate-speak. Sure, there's a little bit of that, but you'll also learn how to own any unpatched Struts 2 application with a known vulnerability. If you use Struts, maybe you should read this report before your boss uncovers a vulnerability in your application?