Osterman Research Software Supply Chain Study Finds 100 Percent of Commercial Applications Contain Vulnerable Software Components

Posted on


Results Show Hidden Vulnerabilities in Browsers, Email, File Sharing, Online Meeting and Messaging Tools Put Organizations at Significant Risk of Cyberattacks.


BETHESDA, Md., Aug. 4, 2021 — GrammaTech, a leading provider of application security testing products and software research services, today released the findings of a study conducted by Osterman Research into the state of software supply chain security. The report found that 100% of commercial off the shelf (COTS) applications tested contained open source components with security vulnerabilities, among those 85% were critical.

Of the most popular browser, email, file sharing, online meeting and messaging products tested, 85% contained at least one critical vulnerability with a 10.0 CVSS (Common Vulnerability Scoring System) score—the highest possible. Meanwhile, 30% of all open-source components across all the applications tested, contained at least one vulnerability or security flaw that has been assigned a CVE (Common Vulnerabilities and Exposures) identifier.

“Commercial off-the-shelf software applications often include open-source components, many of which contain a range of known vulnerabilities that can be exploited by malware, yet vendors often do not disclose their presence,” said Michael Sampson, senior analyst, Osterman Research. “This lack of visibility into deployed and to be deployed applications is essentially a time bomb that increases an enterprise’s security risk, attack surface and potential for compromise by cyber criminals.”

A complete copy of the report is available here. GrammaTech and Osterman Research also discussed these findings in a recent on demand discussion Exposing Software Supply Chain Security Blind Spots.

Survey Highlights

The study evaluated widely used client-based COTS software products in five categories (web browsers, email, file sharing cloud storage, online meeting and messaging) for the presence of open source components and whether they contained security vulnerabilities. Some the key findings were:

  • Online Meeting and Email Most Vulnerable
    Applications in the online meetings and email client categories contained the highest average weighting of vulnerabilities. Given the widespread usage of these tools, organizations should better understand their security attack surface and the potential for compromise.
  • Open-Source Components Widely Used
    All applications analyzed contained open-source components. On average, 30% of all open-source components contained at least one vulnerability or security flaw that has been assigned a CVE identifier.
  • Components with Critical Vulnerabilities Commonly Used
    All but three of the applications in the study included at least one critical vulnerability with the highest possible CVSS score (10.0). The near ubiquitous usage of such vulnerable components rendered comparisons between applications on this basis meaningless as all applications are seen as vulnerable.
  • Newer Versions of Components Not More Secure
    Several components presented with multiple versions across the tested applications, but newer versions were not always more secure, either as measured by the number of vulnerable components used or the weighted score of vulnerabilities in each component.
  • Highest Risk Components
    Of the components identified across the applications analyzed, two versions of the firefox open-source component (not the browser itself) contributed 75.8% of all CVEs. In second place, 16 versions of openssl had a combined 9.6% of the CVEs, and two versions of libav represented 8.3% of the CVEs.

“Most organizations trust suppliers to keep their software free of defects. As this survey shows, companies need to conduct their own quality control to verify the security of purchased software,” said Vince Arneja, Chief Product Officer for GrammaTech. “Maintaining an up to date software bill of materials that details software components and their associated vulnerabilities is the first step in being able to understand and mitigate security vulnerabilities in commercial software applications both before and after they are implemented.”


GrammaTech used its CodeSentry product to identify the presence of open-source components in the binary packaging of the most widely used software applications. The output reports for each application were supplied in PDF format to Osterman Research. The applications analyzed were grouped into the following five categories:

  • Web browsers
  • Email clients
  • File sharing clients
  • Online meetings clients
  • Messaging clients

About GrammaTech

GrammaTech is a leading global provider of application security testing (AST) solutions used by the world’s most security conscious organizations to detect, measure, analyze and resolve vulnerabilities for software they develop or use. The company is also a trusted cybersecurity and artificial intelligence research partner for the nation’s civil, defense, and intelligence agencies. GrammaTech has corporate headquarters in Bethesda MD, a Research and Development Center in Ithaca NY, and publishes Shift Left Academy, an educational resource for software developers. Visit us at, and follow us on LinkedIn and Twitter.  

CodeSonar® and CodeSentry® are registered trademarks of GrammaTech, Inc.

Related Posts

Check out all of GrammaTech’s resources and stay informed.

view all posts

Contact Us

Get a personally guided tour of our solution offerings. 

Contact US