Pei Ling Hoo - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Why are software bundles an enterprise software security issue?

Third-party software bundling is not uncommon, but can present many issues to enterprise software security. Expert Michael Cobb discusses.

A recent study purports that certain types of enterprise software are more vulnerable to flaws if they are bundled with third-party software. Can you explain why third-party bundling is an issue for enterprise software security? Is it something that should affect software purchasing decisions and software risk assessments?

Vulnerability intelligence firm Secunia's Vulnerability Update Report summarizes security vulnerabilities disclosed between August and October 2014. A total of 1,841 flaws were uncovered in the top 20 most vulnerable products, and the vendor with the most vulnerable products was IBM. This may come as a surprise to many given IBM is a trusted name in the world of IT. However, many of its products include third-party software bundles and libraries like Java and OpenSSL.

Java has been plagued with security issues and zero-day vulnerabilities, and last year the Heartbleed security bug was found in OpenSSL. Every time a vulnerability is discovered in these and other software bundled within an IBM product, it affects anyone using that IBM product. So, for example, if a Java vulnerability is discovered and a patch released, IBM needs to patch all of its products that incorporate Java and release the updates to its customers. This problem is not unique to IBM; most applications now incorporate software bundles with third-party code and components. It has become a real enterprise software security issue, so much so that it appears in the OWASP Top 10 List of application vulnerabilities.

The more complex a program is and the more components it uses increases its potential attack surface. This should be taken into account when assessing the suitability of different products and technologies; a program's license agreement should list any additional third-party software it installs or uses. Another factor to keep in mind when deciding which software to buy is how quickly vendors offer patches for newly discovered vulnerabilities and the method in which they distribute them. The way many big software vendors deliver updates and patches to their customers has changed over the last few years, with some like Google and Mozilla releasing incremental updates to their browsers every few months. While these initiatives improve the likelihood of certain software being patched in a timely fashion, products that include third-party software can greatly increase the number of programs from different vendors that are installed on machines within the corporate network. This means administrators have to support a greater variety of update procedures, which in turn increases the risk of systems not being fully patched.

Finally, the Center for Strategic and International Studies found that Java, Adobe Reader/Acrobat, Adobe Flash and QuickTime were the applications most frequently used by hackers as an attack vector against users running a Windows operating system. Software that makes use of any of these programs should be flagged during a software purchasing review and possibly be excluded from the final shortlist.

Ask the Expert:
SearchSecurity expert Michael Cobb is ready to answer your application security questions -- submit them now. (All questions are anonymous.)

Next Steps

Learn about the tools and services available to evaluate third-party application security

This was last published in June 2015

Dig Deeper on Risk assessments, metrics and frameworks