Security expert Chris Wysopal points out that many companies only have a fragmented view of software flaws and risks in their applications. He highlights that the proliferation of toolsets leads to “alarm fatigue” and the emergence of data silos that need to be interpreted to make decisions. To address the security backlog, Wysopal advises prioritizing error remediation based on risk.
In particular, when it comes to risks in the supply chain, the app security provider Black Duck analyzed 965 commercial codebases from 16 industries. The study revealed that 86% of commercial codebases contained open-source software vulnerabilities, with 81% of the flaws posing a high or critical risk.
Among the vulnerabilities found, eight of the top ten high-risk flaws were discovered in jQuery, a widely used JavaScript library. The most commonly found high-risk vulnerability was CVE-2020-11023, an XSS vulnerability affecting outdated versions of jQuery. Remarkably, this vulnerability still persists in a third of the scanned codebases.
This data underscores the importance of addressing security vulnerabilities in software supply chains to mitigate risks effectively. Companies must adopt a risk-based approach to remediate flaws in their applications promptly and prioritize fixing high-risk vulnerabilities to bolster their overall security posture.
Furthermore, the findings emphasize the need for organizations to invest in robust security measures and tools to proactively detect and mitigate software vulnerabilities. By taking proactive steps to secure their applications and prioritize risk-based error remediation, companies can enhance their cybersecurity defenses and protect themselves from potential data breaches and cyber threats.
In conclusion, the insights provided by Black Duck’s analysis shed light on the prevalent security risks associated with open-source software vulnerabilities in commercial codebases. By heeding these warnings and implementing proactive security measures, businesses can fortify their defenses and safeguard their sensitive data from malicious actors. Ultimately, prioritizing risk-based error remediation is crucial in addressing the security gaps within software applications and strengthening overall cybersecurity resilience.