Communications Applications Featured Article

Sonatype Reports Show Vulnerabilities in Open-source Components

July 18, 2016

Sonatype, a company that studies the software development lifecycle, recently released its “State of Software Supply Chain” study that examines the open-source components that assist enterprise applications. It found that one in every 16 such components contained security vulnerabilities which, when assessed in the face of all business applications produced each year, results in a shocking number of security concerns that can affect consumers and businesses alike.


Of the 200,000 open-source components that Sonatype says a single company downloads every year, about 5,000 are expected to be unique. Applying the one-in-16 figure to that unique 5,000 could result in a total of 312 components working in the wild at any time. Remember, though, that those 312 components only apply to one company. The number could jump considerably higher when considering the entire digital ecosystem of enterprise applications.

The components may invade users’ communications, bank transactions, schedules and business resources. The pervasive use of digital wares in our society leads to the conclusion that no industry is safe from a security concern of this type.

There is no telling from this study’s data exactly how many applications these one-in-16 actually affect; furthermore, there is no telling how severe the threats could be from any amount of these vulnerabilities. The point stands, however, that Sonatype notes that 80 to 90 percent of the code found in enterprise applications has its roots in open-source components. Not only is industry immune from this reach, almost no part of the basic enterprise application exists without code from third parties.

Sonatype warns from its findings that the number of questionable application lines of code could be nearly impossible to address if attacked directly. It could cost the average company that uses 2,000 applications approximately $7.4 million to fix only 10 percent of the security-affected code within them.

Perhaps most interesting in this state of affairs is that Sonatype acts as a conduit for the transfer of some of this code. It hosts its own Central Repository that holds components from companies such as Apache, SBT and Java. It would be an endless task to police all that code with its own resources, so it leaves security checking to the companies that use the hosting space. The burden of responsibility for any security vulnerabilities falls onto the shoulders of the parties that create the components.

The only way out of this hole, Sonatype suggests, is for software developers to use practices common in the supply chain of industries such as manufacturing. It would require that each link in the chain – the developer, server host and enterprise developer – be more selective about the components they create and host. This type of process could become unwieldy if not managed well.

Still, developers such as those individuals in Dialogic’s new PowerVille applications division can start on the right foot by creating pre-packaged programs such as its load balancer and network functions virtualization components with the highest of care. The creation of secure products must start from the lowest common denominator and continue its integrity throughout the chain of use.




Edited by Alicia Young

Article comments powered by Disqus


  Free Communications Applications eNews
  Call for Content

Featured Podcasts



Featured Whitepapers

Which Media Transcoding Strategy is Right?

The Market Challenge: More, More and More Media How Communications Service Providers respond to the media transcoding challenge will have a profound impact on their business, as nearly half of all voice/video sessions will require some type of transcoding. Download this free white paper and find out the typical requirements and best practices to address

Finding Profit in Mobile Video Services - Yankee Group Market Assessment

The Bottom Line: Video services have been slow to take off in the 3G environment due to technology constraints and poor business models.

The Open Source Telco: Taking Control of Destiny

Telecom Operators are exploring the role of Open Source Software in their networks, but how and why? This independent report published by Telco2.0 is the result of an exhaustive survey of CIOs and key technology decision makers from 22 global Telecom Operators, exploring the role of Open Source Software in their networks, infrastructure and core carrier services.



Featured Case Studies

Lleida.net Opens the Door to More Opportunities with Dialogic Signaling Solutions

Lleida.net is a value added telecommunications operator, based in Spain but with a global reach, that is a pioneer in registered SMS communications. It provides a wide range of services including registered and unregistered email and SMS communications as well as SMS hubbing services for operators.

High-impedance Voice Recording with Dialogic® Technology

Telephone arrangements are a vital part of everyday work in the financial business, as well as in trade, industry and government agencies.

ÅMT Develops Hosted PBX Services with Asterisk and Dialogic IMG 1010 Integrated Media Gateway

Ålands Mobiltelefon (ÅMT) is a small operator with energy and imagination. As a mobile and fixed line operator on the island of Ålands, situated between Sweden and Finland, ÅMT was experiencing heavy competition.