In today’s IT environments, security has become a major concern. Despite recent reports of software vulnerabilities in open source code, including Shellshock, the OpenSSL Heartbleed and GoToFail, companies still prefer to use open source software.

But, open source developers don’t always adhere to best practices when it comes to security such as conducting regular security audits and using static analysis, found Coverity Inc.’s Spotlight report. The Coverity Scan Security Spotlight identifies several common defects and exposures (CVEs) in open source code, and identifies that the GoToFail vulnerability could have been detected in the scan.

Critical defects in open-source projects

The provider of application development testing added its Security Advisor to the Coverity Scan service, which resulted in the discovery of almost 4,000 defects. Almost 2400 of these were high severity defects, followed by 1330 low severity and 260 and so medium severity.

The Coverity Scan service analyzed several hundreds of millions of lines of code from more than 1,500 open source projects – including C/C++ projects such as NetBSD, FreeBSD, LibreOffice and Linux, and Java projects such as Apache Hadoop, HBase and Cassandra.

The scan also detected 688 Open Web Application Security Project (OWASP) Top 10 issues in 37 open source projects, including big data, network management, and blog server projects. The top 10 issues found on the scan are injection, broken authentication and session management, cross-site scripting (XSS), insecure direct object references, security misconfiguration, sensitive data exposure, missing function level access control, cross-site request forgery (CSRF), using components with known vulnerabilities, and unvalidated redirects and forwards.

“The road to application quality and security starts in development,” said Zack Samocha, senior director of products at Coverity. “With three major security issues related to open source code defects this year, it’s imperative that open source developers design code security into their projects starting as early as possible…”

That means utilizing security experts to help, adds Samocha. Vulnerable areas in code aren’t always immidiately obvious and how attackers will use them is even less obvious at the developer level. Most code bugs don’t even become a problem until code is being executed in production; after it’s released from the sanitary world of the development environment.

The solution: regular security audits and in-depth vulnerability exams that try to suss out the problems before they’re exploited.

There have been several highly publicized open source vulnerabilities this year alone, including Heartbleed and Shellshock. Those two flaws impacted a large number of users because of the widespread implementation of open source software.

Coverity introduced its monthly Coverity Scan Project Spotlights due to high demand for the annual Coverity Scan Report and the insight it provides into the state of open-source software quality. The Coverity Scan Report has become something of a standard for measuring the state of open-source software quality.

Sonatype in a study conducted earlier this year found that more than 370 enterprises reported suspected or confirmed open source breaches in last one year. Companies should ensure they should keep a close eye and track security vulnerabilities in open source components they use for the life of the product.

photo credit: Yuri Yu. Samoilov via photopin cc