International. Synopsys, Inc. released the 2019 Open Source Security and Risk Analysis (OSSRA) report, which highlights trends and patterns in open source usage, as well as the prevalence of insecure open source components and license conflicts.
The report, produced by Synopsys Cybersecurity Research Center (CyRC), examines the results of more than 1,200 audits of business applications and libraries, conducted by the Black Duck Audit Services team.
As the report shows, many of the trends in the use of open source that have presented risk management challenges to organizations in previous years persist today. However, the data also suggests that a tipping point has been reached, with many organizations improving their ability to manage open source risk, possibly due to increased knowledge and maturation of commercial software composition analysis solutions.
"Open source plays an increasingly vital role in the development and deployment of modern software, but to realize its value, organizations must understand and manage how it affects their risk posture from a security and licensing compliance perspective," said Tim Mackey, chief security strategist at Synopsys Cybersecurity Research Center. "The 2019 OSSRA report offers a glimpse into the state of open source risk management within commercial applications. It shows that significant challenges still exist, and most applications contain open source security vulnerabilities and license conflicts. But it also highlights that these challenges can be addressed, as the number of open source vulnerabilities and license conflicts has decreased from the previous year."
Some of the most notable open source risk trends identified in the 2019 OSSRA report include:
- There has been a significant increase in open source adoption. Ninety-six percent of the code bases audited in 2018 contained open source components, with an average of 298 open source components per code base compared to 257 in 2017.
- Open source license conflicts can put intellectual property at risk. Sixty-eight percent of the code bases contained some sort of open source license conflict, and 38% contained open source components with no identifiable license.
- The use of 'abandoned' components is common. Eighty-five percent of the code bases contained components that were outdated for more than four years or had not been developed in the past two years. If a component is down and no one maintains it, that means no one is addressing its potential vulnerabilities.
- Many organizations fail to patch or update their open source components. The average age of vulnerabilities identified in 2018 Black Duck Audits was 6.6 years, slightly higher than in 2017, suggesting that remediation efforts have not improved significantly. Forty-three percent of code bases scanned in 2018 contained vulnerabilities older than 10 years. When viewed in the context of the National Vulnerability Database and more than 16,500 new vulnerabilities are added in 2018, your clear patching processes need to scale to accommodate a higher level of disclosure.
- Not all vulnerabilities are created equal, but many organizations aren't even addressing the riskiest ones. More than 40% of code bases contained at least one high-risk open source vulnerability.
The report notes that the use of open source software is not a problem in itself and is in fact essential to software innovation. However, failing to proactively identify and manage the security and licensing risks associated with using open source components can be very damaging. Despite the identified risk factors, OSSRA data from 2019 suggests that, in the wake of the Equifax breach, an increase in knowledge of open source risk and the maturation of commercial software composition analysis solutions has led to a breakthrough:
Organizations are getting better at managing open source security vulnerabilities. Sixty percent of the code bases audited in 2018 contained at least one vulnerability, still significant, but much better than the 78% figure in 2017.
Overall, compliance with the open source license has also improved. Sixty-eight percent of the 2018 audited code bases contained components with license conflicts, up from 74% in 2017.
The full report can be downloaded at the following link: https://bit.ly/2J5dAAo
