As the amount of software powering our lives continues to increase, developers are churning out code faster. While this makes consumers’ lives easier, we still need to bake in security well before code is released.

With consumers demanding more, companies are being pushed to release new features faster.

Add to this the move to DevOps (where developers constantly release code to production), and you now have new code being out on the web constantly.

To make this easier, various components of applications are built using pre-built blocks of code (known as libraries and frameworks). Most of the time, these components are open source.

So eventually, every application built has both custom code and open source components.

  1. Custom code components are written by in-house developers
  2. Open source components are written by developers worldwide, and are also used by applications world-wide.

Since open source software (OSS) components are used with multiple applications, if hackers find a vulnerability in an OSS component, they can use the same hack to get into any application that uses this vulnerable component.

While open source components are deemed secure, hackers are incentivized to find vulnerabilities in OSS. This is because:

  1. The source code is out in the open, making it easier to find vulnerabilities
  2. If a vulnerability is found, hackers can try the same exploit on all applications with that component to find a point of entry.


Vulnerable OSS components are easy to find by application owners, but also easily exploitable by hackers. This low hanging fruit for all parties also comes with potentially disastrous consequences for organizations.Thankfully, it is easy to identify a vulnerable OSS component in your application (if the vulnerability is published / disclosed already) and update the component to a less vulnerable version. As an example, when the Apache Struts2 vulnerability was found, users just needed to upgrade to a newer version of Struts2 that didn’t have that vulnerability.

How can Bugcrowd help?

Bugcrowd helps find vulnerabilities in both open source and custom code. We help you identify vulnerabilities faster, so you can now focus on fixing them by working with your development team. You now have more time to identify issues that need internal contextual knowledge, and can only be solved by your expert security team.

Contact us to get started today: https://www.bugcrowd.com/get-started/

Tags: