An estimated 80% of the code used in software applications today originates from third-party libraries or components, according to security researchers at Veracode. But when developers share code, they also share vulnerabilities. In an analysis of 25,000 applications, Sonatype found 7% of components had at least one security defect.
Meanwhile, Gartner estimates that by 2020, almost all vulnerabilities exploited will have been known by security and IT professionals for at least a year.
"Faulty code can easily spawn more problems down the road for developers," Stephen Breen, a principal consultant at NTT Com Security, told ThreatPost. "Even when development teams have the best intentions, it’s easy for developers working under tight deadlines to not properly vet the third-party code used in their software."
The dramatic rise of open source means very little software is written from scratch anymore. Developers can use other code as a base and build upon it, without wasting time on the basics. While that can save developers a huge amount of time, it can also create potential issues.
When developers use third-party code, they may not be aware of vulnerabilities that code contains. Cybercriminals can then zero in on and exploit certain vulnerabilities and find them in code used by hundreds, if not thousands, of enterprises.
Using third-party code isn't necessarily a bad thing, but companies need to ensure it's not presenting a flaw into a network. Companies should also keep track of the code they use, because vulnerabilities may not become known until later.