But after crunching the data on how the Central Repository's components are used--with the help of application security specialist Aspect Security--Jackson says he believes organizations need to be much more diligent in their practices around open source components because many are exposing themselves to risk by deploying older, vulnerable versions of components.
Aspect Security's study of Sonatype's data found that more than 80 percent of typical software applications are open source components and frameworks consumed in binary form, and that Global 500 organizations, collectively, downloaded more than 2.8 million insecure components in one year. The average enterprise downloads more than 1,000 unique components from the Central Repository each month, and large banks and independent software vendors (ISVs) download even more. And many of the most popular components displayed flaws.
Known open source vulnerabilities.