Commercial software may not be free of the flaw Credit: OpenClipart-Vectors That lingering Heartbleed flaw recently discovered in 200,000 devices is more insidious than that number indicates.According to a report posted by Shodan, the Heartbleed vulnerability first exposed in April 2014 was still found in 199,594 internet-accessible devices during a scan it performed last weekend.But according to open-source security firm Black Duck, about 11% of more than 200 applications it audited between Oct. 2015 and March 2016 contained the flaw, which enables a buffer overread that endangers data from clients and servers running affected versions of OpenSSL.The company’s vice president of security strategy Mike Pittenger says it’s likely most of those machines have been remediated, but it doesn’t address the countless other applications – commercial and proprietary – Black Duck didn’t audit. “It is significant, to be sure, he says. “However, I would not extrapolate that to say 11% of all commercial applications were vulnerable to Heartbleed at that time.” That 11% is a number from the company’s last published report. In a new report due out next month that hasn’t been wrapped up yet, that number is likely to dip into the single digits, but is still significant.The problem is that commercial software in general uses a great deal of open source code – 35% on average – and authors of the code don’t necessarily have processes in place to track when vulnerabilities are found in that code and to then patch them, he says. He says Black Duck’s study finds that two-thirds of these applications have open-source vulnerabilities of one kind or another and that they average 5 years old.In regard to Heartbleed in particular, he says the reports draw on anonymized data about its audits so they don’t reveal the specific applications in which the Heartbleed vulnerability was found.Running vulnerable applications in a regulated environment could have consequences for the enterprises using them, he says, because the security threat they represent could violate HIPAA or PCI security and privacy requirements.The Shodan report on the prevalence of Heartbleed showed that the individual entities hosting the largest number of Heartbleed-vulnerable devices were service providers. That may be because these machines were set up a while ago and are no longer in use but were never taken offline, Pittenger says. For example more than 5,163 were on Amazon Web Services and many may be instances set up on the fly by development teams that never bothered to shut them down when they were done using them. Related content news Multibillion-dollar cybersecurity training market fails to fix the supply-demand imbalance Despite money pouring into programs around the world, training organizations have not managed to ensure employment for professionals, while entry-level professionals are finding it hard to land a job By Samira Sarraf Oct 02, 2023 6 mins CSO and CISO CSO and CISO CSO and CISO news Royal family’s website suffers Russia-linked cyberattack Pro-Russian hacker group KillNet took responsibility for the attack days after King Charles condemned the invasion of Ukraine. By Michael Hill Oct 02, 2023 2 mins DDoS Cyberattacks feature 10 things you should know about navigating the dark web A lot can be found in the shadows of the internet from sensitive stolen data to attack tools for sale, the dark web is a trove of risks for enterprises. Here are a few things to know and navigate safely. By Rosalyn Page Oct 02, 2023 13 mins Cybercrime Security news ShadowSyndicate Cybercrime gang has used 7 ransomware families over the past year Researchers from Group-IB believe it's likely the group is an independent affiliate working for multiple ransomware-as-a-service operations By Lucian Constantin Oct 02, 2023 4 mins Hacker Groups Ransomware Cybercrime Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe