On 28.07.2016 16:24, Andrew Dinn wrote:
Now, you might wish to eschew (decline to chew) the aspirin and pooh
pooh Dalibor's assessment that there is a /significant/ risk involved
here.
"An analysis of 25,000 scans reveals that 6.8% of components
being used in applications contained at least one known security
vulnerability. This finding demonstrates that defective components are
making their way across the entire software supply chain -- from initial
sourcing to use in finished goods."
"However, because a single component may contain multiple
vulnerabilities, it's important to understand that an average
application consisting of 106 components -- of which 6.8% are
known bad -- could contain numerous unique vulnerabilities" [0]
Relevant background reading:
https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities
cheers,
dalibor topic
[0]
http://www.sonatype.com/hubfs/SSC/2016_State_of_the_Software_Supply_Chain_Report.pdf
--
<http://www.oracle.com> Dalibor Topic | Principal Product Manager
Phone: +494089091214 <tel:+494089091214> | Mobile: +491737185961
<tel:+491737185961>
ORACLE Deutschland B.V. & Co. KG | Kühnehöfe 5 | 22761 Hamburg
ORACLE Deutschland B.V. & Co. KG
Hauptverwaltung: Riesstr. 25, D-80992 München
Registergericht: Amtsgericht München, HRA 95603
Komplementärin: ORACLE Deutschland Verwaltung B.V.
Hertogswetering 163/167, 3543 AS Utrecht, Niederlande
Handelsregister der Handelskammer Midden-Niederlande, Nr. 30143697
Geschäftsführer: Alexander van der Ven, Jan Schultheiss, Val Maher
<http://www.oracle.com/commitment> Oracle is committed to developing
practices and products that help protect the environment
