Why it makes sense to package Java libraries
Hi,
there are people that don't understand, why it makes sense to package Java
stuff in Debian. The below study points out how many organizations still
download ancient, vulnerable libraries from Macen central:
https://www.aspectsecurity.com/uploads/downloads/2012/03/Aspect-Security-The-
Unfortunate-Reality-of-Insecure-Libraries.pdf
or shortened: http://bit.ly/GX4jGi
found via:
http://branchandbound.net/blog/security/2012/03/crossbuild-injection-how-safe-
is-your-build/
Quote:
In partnership with Sonatype, researchers from Aspect Security analyzed 113
million downloads from the Central Repository (“Central”) of the 31 most
popular Java frameworks and security libraries [...]. We analyzed [...]
downloads of these libraries from more than 60,000 commercial, government, and
non-profit organizations.
Our analysis revealed several interesting findings, including:
• 29.8 million (26%) of library downloads have known vulnerabilities
• The most downloaded vulnerable libraries were GWT, Xerces, Spring MVC, and
Struts 1.x
• Security libraries are slightly more likely to have a known vulnerability
than frameworks
• Based on typical vulnerability rates, the vast majority of library flaws
remain undiscovered
• Neither presence nor absence of historical vulnerabilities is a useful
security indicator
• Typical Java applications are likely to include at least one vulnerable
library
The data show that most organizations do not appear to have a strong process
in place for ensuring that the libraries they rely upon are up-to-date and
free from known vulnerabilities. We conclude that there are no shortcuts to a
secure application infrastructure and that the only useful indicator of
library security is a broad and rigorous review that finds minimal
vulnerability.
Thomas Koch, http://www.koch.ro
Reply to: