Java MalwareBy Don Reisinger | Posted 05-07-2012
Did you know that 80 percent of the code found in today's applications comes from libraries and frameworks?
26 percent of the 31 most popular Java frameworks and libraries contain malware?
Among the most vulnerable libraries, GWT, Xerces, Spring MVC, and Struts 1.x were most likely to be downloaded, according to Aspect Security.
18 Million Downloads
The sheer number of frameworks downloaded is stunning. Spring, one of the most popular libraries, was downloaded over 18 million times in 2011, according to the Aspect Security study.
Perhaps most concerning, Aspect Security found that "the vast majority of library flaws remain undiscovered."
Flaws Per Line
On average, Aspect Security found five to 10 security vulnerabilities for every 10,000 lines of Java code. The typical library consists of 10,000 to 200,000 lines of code.
The ramifications of all this are huge. According to Aspect Security,nearly 50 percent of all Global 500 companies are using some of the top 31 libraries. They're also heavily used across not-for-profit organizations.
On the library front, 37 percent contain known vulnerabilities, according to Aspect Security.
All the malware being downloaded via libraries and frameworks might scare you. In 2006, the figure stood at just under 15 million. In 2011, that figure stood at 45 million.
The More Popular The Better
According to Aspect Security, the more popular library and framework offerings contained 28 percent of known vulnerabilities. Not-so-popular options contained 38 percent of known vulnerabilities.