The average UK enterprise downloaded more than 21,000 open source software components with a known vulnerability in the past year alone, data from Sonatype shows.
Out of the average 248,000 open source components downloaded by UK business in 2018, 8.8% were found to have a known security flaw, according to Sonatype’s fifth annual Software supply chain report, based on data from 12,000 enterprise development companies globally.
Out of the vulnerabilities in open source software downloaded by UK firms, 30% were classified as critical, posing a serious risk to the security of software, the report said.
These findings are evidence of a worrying trend of vulnerable components being built into applications, the report said, with one in 10 open source components downloaded in 2018 containing a known security vulnerability.
Just over half (51%) of JavaScript package downloads also had a known flaw, the data shows, demonstrating the scale of the challenge facing organisations.
The report also examined the volume of companies using the flawed Struts component responsible for the Equifax breach and attacks on at least eight other major institutions. The data shows that…
