Nine in ten biz applications harbor out-of-date, unsupported, insecure open-source code, study shows

Yea... just because an application includes a component with a CVE, it isn't de facto exploitable. For the most part though, you should clean house. The classic response to this suggestion is if someone is inside your firewall and accessing the application then you have bigger things to worry about. I'm not saying that is a good response, mind, but it explains these findings.

And this so-called study was sponsored by who, exactly? No maintenance activity for a year could also mean the code is stable and properly implements a standard function. I doubt there are a lot of new features that need to be added to the quicksort algorithm, for example.

I'd instead argue that too much churn in the product is a sign of instability such that it should not be relied upon by third parties. Consider the multiple versions of Microsoft .Net libraries found on any system in productive use for more than a week. Are all those being maintained or merely deprecated.

Receiving data from an external source

In general terms, if data is being sent to, or receivied from a place that the coder has no control over, surely it is best to try and sanitise that data at the border rather than accepting it or assuming that it will be sanitised? I have come across components where they do not work properly unless e.g., compiler bounds-checking switches are disabled, which worries me enough to make me want to steer well clear of such components.

An easily visualised example might be where the third-party might be asked, directly or indirectly, to perform a divide by zero operation. Many coders will assume that the library will handle this and report back, to that effect, but I suspect there are many of us who consider this bad practice, and will take steps to verify this isn't going to happen prior to passing parameters across, or to independently sanity check what comes back before making use of it.

Ok I'm sure that doesn't cover every eventuality surveyed, but I suspect it accounts for many scenarios analysed.

This should be no surprise to anyone who has had a taste of the 'it works, so it's ready for production' style of working within projects that use 'Devops' en 'Agile'.

It's either 'good', 'fast' or 'cheap', any combination, but you can only alwqys have two ; the current Devops//Agile projects have chosen 'fast' and 'cheap'.

Has nothing to do with whether these projects are using closed or open source software aside from the fact that the only reason Open sourse is used is to cut cost.

la la la

Can't hear you!!!

O dear

Only to realize someone is not maintaining an app that should legally not exist in the first place...

Frankestein development, thanks to Stackoveflow, Github & C.

More and more developers no longer write applications. They glue together code sourced from somewhere - usually without checking how many people maintain it, the quality of the code itself (just how many other fools use it), the license, its security. Just look at the packages without a maintainer because the single developer was jailed. Or those removed on a whim. Most of them have nothing in place to ensure each library is vetted and upgraded when necessary. Yet, the more code comes from outside, the more difficult to manage it all.

This survey doesn't surprise me at all - I've seen this trend for years now. When you had to spend money to license library, that very money made you much more careful about what you bought and how well it was supported. It was true that scroogey companies for that same reason often avoided to pay for upgrades, and kept on using outdated and risky code.

Software development took the wrong path, and one day it will become much clearer, at our expenses.

No real ongoing support

I suspect part of the issue is how software projects (or any projects really) are delivered and maintained within companies.

In my experience within large Enterprises, in the UK and US, there is no real concept of ongoing support for software they develop (other than ongoing things like monitoring logs, restarting services etc).

• A project will come along, internal or for a client, and they want some software, or a new application/service.
• A project team is stood up, PMs', architects, developers, testers etc.
• Requirements are defined and agreed, and the project delivers, tests and eventually hands over the resulting software/application to the user.
• Assuming everything gets sighed off, the project team is then stood down, disbanded, and the individuals head off to their next projects.
• Hopefully the delivered software is well documented (ha!) and sat in a supported repo somewhere, with instructions on how to build etc.

But in my experience, once the project team has been stood down, there is no one in the company actively doing anything with that software anymore. It's just not something Enterprises, at least the ones I've worked with, seem to even think about!

Generally the only time the software would get looked at again, is if a serious bug was found (that didn't have a workaround), or an enhancement was wanted, (new feature etc). At which point costs would be agreed, a new project team stood up (most likely different people than the first), and off we go again.

This 2nd (or additional) project may well insist on an 'uplift' step first, to bring all the libraries, frameworks etc up to date, but I've seen this step shot down many times due to 'costs vs perceived benefits', so the old libraries stay in.

Part of the issue is of course that many companies have the tail wagging the dog, i.e. the accountants making decisions, rather than say security experts, or (a competent) Enterprise Architect, and the accountants being there to support these people instead of dictating to them.

I can't see this changing any time soon, as this is just too ingrained, at least withing large Enterprises!

hall of shame

(posing ANON for obvious readsons) OK let's paste in some amusing stuff off of the busiest of our production servers:

[user@prodserv~]$ java -version

java version "1.6.0_35"

OpenJDK Runtime Environment (IcedTea6 1.13.7) (rhel-1.13.7.1.el6_6-x86_64)

OpenJDK 64-Bit Server VM (build 23.25-b01, mixed mode)

[user@prodserv ~]$ uname -a

Linux svc46 2.6.32-504.el6.x86_64 #1 SMP Wed Oct 15 04:27:16 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

The reason we're stuck in "ancient software hell" is mostly to do with being tied to some _proprietary_ software that won't let us upgrade the rest of the stack.

Our ~$500m revenue company is too tight to upgrade from Oracle 10, or hire some devs to migrate to Postgres already, hence we use linux kernel 2.6, hence java 1.6 only, and so on.

Those figures don't add up.

So 91% of Business Applications have out of date software (which is going to be a bullshit figure to start with).

Then....

"Ninety-one percent of the audited applications had components that are either four years out of date or have exhibited no active development for two years."

Well that means 100% of "out of date" programs have components that are four years out of date or abandoned.

TANSTAAFL

So most companies are using open-source code in their applications - but a lot of it is badly maintained?

There ain't no such thing as a free lunch.

Software life cycle is like buying someone a puppy

I've always said that software is like buying someone a puppy. It all sounds great when you look at them, they're so cute, etc, and they don't seem to cost that much. But then you get them home and have to buy food for them, and someone has to go pick up after them.

Software is much the same way, its so "fun" to create stuff, but 90%+ of the cost is in maintaining it for the rest of its life. Many companies run in and try to save that initial money by using open source or free stuff, but then they don't realize what they're getting themselves into, in that they're also on the hook to support it and maintain it. If you could do some estimates of those costs over the life, then maybe commercial software with a support contract wouldn't look so expensive. Not to mention the opportunity cost of your people who could be doing other things.

But I suspect that many companies just go for the cheapest up front cost and hope it all works out with no plans at all for maintenance.

"Ninety-one percent of the audited applications had components that are either four years out of date or have exhibited no active development for two years."

So if a component already works and nobody is mucking about with it then that is a bad thing?