According to SAP, more than 80% of all cyber attacks are happening on the application layer,1 specifically targeting software applications rather than the network.
Hackers take the easiest path when determining exploits and choose applications that offer the best attack surface opportunities. Those opportunities are generally created by unpatched or outdated software.
For example, Heartbleed, a dangerous security flaw, critically exposes OpenSSL, an open source project used in hundreds of thousands of applications that need to secure communications over computer networks against eavesdropping. Yet 56% of all OpenSSL versions that Cisco Security Research examined in its 2015 security report2 were still vulnerable to Heartbleed, more than two years after the Heartbleed vulnerability was first disclosed and a patched version issued.
This illustrates the difficulty organizations have in inventorying and managing open source components rather than a lack of security diligence. Without a comprehensive list of open source components in use, it is nearly impossible for any organization to identify specific applications that use vulnerable components.