International. The Open Source Security and Risk Analysis (OSSRA) report indicates that most organizations are still working to identify and manage open source risk in their application portfolios.
The report says that "although the number of vulnerabilities in open source is small compared to proprietary software, in 2018 alone more than 7,000 vulnerabilities in open source were discovered. More than 50,000 have emerged in the last two decades."
The report highlights the persistent challenges organizations face when it comes to managing open source risk, including:
- An increase in the average number of open source components detected in each code base, with an average of more than 298 open source components. Those who use open source often overlook the associated security and licensing risks.
- Another record year for the number of open source vulnerabilities revealed in the NVD. 60 percent contained at least one open source vulnerability and 68 percent contained components with license conflicts, according to the report.
- An increase in the average age of open source vulnerabilities detected, with more than 40 percent of code bases containing a vulnerability that was revealed more than a decade ago.
- More than 40 percent of code bases contain a high-risk vulnerability.
Despite these challenges, OSSRA data from 2019 suggests that, in the wake of the Equifax breach, an increase in knowledge of open source risk and the maturation of commercial software composition analysis solutions has led to progress forward, including:
- The percentage of code bases containing vulnerable components has decreased.
- The percentage of code bases containing license conflicts has decreased.
Leave your comment