A recent study found a host of vulnerabilities in the use of open-source components in commercial off-the-shelf (COTS) IT products, which undergo less stringent regulation in their use by the Federal government.
The white paper by GrammaTech and Osterman Research found a wide-ranging use of open-source components in the COTS products and said that meeting and email client COTS products are the most vulnerable.
“Many open-source components contain a range of known vulnerabilities that can be used as egress points for cyberattacks,” the study’s executive summary says. “This lack of awareness of open-source components used by organizations in commercial off-the-shelf software increases the security risk, attack surface, and potential for compromise by cybercriminals.”
Among the applications analyzed, 30 percent of all the open-source components contained at least one vulnerability that has already been identified as a common vulnerability and exposure. The email and meeting tools have the “highest average weighting” of vulnerabilities, which is concerning given their widespread use across organizations.
The study also found that just because a COTS product is newer does not mean it is safer. In analyzing some products with multiple versions, the study found that the updated versions of the applications were not always more secure than their predecessors.
Just three of the applications studied did not have some sort of critical vulnerability found. The study’s researchers said, “the near-ubiquitous usage of such vulnerable components renders comparisons between applications on this basis meaningless as all applications analyzed are seen as vulnerable.”