Menu
Enterprise software developers continue to use flawed code in apps

Enterprise software developers continue to use flawed code in apps

The use of third-party code in enterprise software projects is growing fast, but the used code often has known flaws

Companies that develop enterprise applications download over 200,000 open-source components on average every year and one in every 16 of those components has security vulnerabilities.

This is indicative of the poor state of the software supply chain, a problem that's only getting worse with the increased reliance on third-party code combined with bad software inventory practices.

According to software development lifecycle firm Sonatype, third-party components account for 80 percent to 90 percent of the code found in a typical enterprise application today.

The number of downloads from the largest largest public repository of open-source Java components reached 31 billion last year, a 82 percent increase over 2014, the company found.

Sonatype runs the hosting infrastructure for the Central Repository, the default repository for Apache Maven, SBT and other Java software building tools. The company does not police what goes in and out of the repository; that task falls to the community of open source developers who contribute components to it.

The average company downloads more than 229,000 components annually, but only around 5,000 of them are unique, Sonatype said in its State of Software Supply Chain report released Monday. Of those downloaded components, 1 in 16 has security defects.

This is reflected in production too. An analysis of 25,000 enterprise applications revealed that 6.8 percent of the components used in them had at least one known vulnerability.

Components that are over two years old account for 80 percent of the risk, but unfortunately they also represent over half of all components used in applications.

Sonatype estimates that it would cost an enterprise with 2,000 applications about US$7.4 million to remediate only 10 percent of the defects and vulnerabilities introduced by consuming components.

Supply chain management practices that are common in other industries, such as manufacturing,would help software developers reduce their maintenance costs considerably. These include doing a strict selection of component suppliers, choosing only the highest quality components and tracking when and where those components were used.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Slideshows

IN PICTURES: Ingram Micro Innovation hits Auckland with Hewlett Packard Enterprise

IN PICTURES: Ingram Micro Innovation hits Auckland with Hewlett Packard Enterprise

Ingram Micro completed its nationwide roadshow in Auckland last month, kicking off its Innovation Hour series with Hewlett Packard Enterprise. Uncovering the latest in storage, networking and servers, the event outlined key market trends for resellers in 2016 and beyond.

IN PICTURES: Ingram Micro Innovation hits Auckland with Hewlett Packard Enterprise
IN PICTURES: FireEye celebrates channel at 2016 Partner Conference

IN PICTURES: FireEye celebrates channel at 2016 Partner Conference

FireEye welcomed 143 channel partners and distributors to FireEye's 2016 annual Partner Conference, FireEye A/NZ Momentum - held at Establishment in Sydney. Delegates heard from senior trans-Tasman channel leaders, marketing and the product divisions in the morning, with FireEye customers, incident responders and threat intelligence analysts sharing knowledge during the afternoon.

IN PICTURES: FireEye celebrates channel at 2016 Partner Conference
​IN PICTURES: Disruption in the data centre - Can the Kiwi channel capitalise?​

​IN PICTURES: Disruption in the data centre - Can the Kiwi channel capitalise?​

With New Zealand businesses now open to innovation, the industry sits on the cusp of significant disruption in the data centre. Driven by software-defined networking, the future of the data centre is fast becoming reality, as the channel seeks to keep up, keep innovating and keep growing. APC by Schneider Electric, Lenovo and key partners outlined how the channel can capitalise at The Grill restaurant in Auckland.

​IN PICTURES: Disruption in the data centre - Can the Kiwi channel capitalise?​
Show Comments