View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Data
May 29, 2018

Takeaways from the 2018 Open Source Security and Risk Analysis Report

"The growth in open source use did not mean an equivalent growth in open source risk management"

By CBR Staff Writer

As part of Synopsys’ software composition analysis (SCA) offerings, the Black Duck On-Demand audit services group performs open source security audits for organisations looking to assess license compliance and security risks of a particular application or codebase.

The Synopsys Center for Open Source Research & Innovation (COSRI) collects, anonymises, and compiles data from those audits to produce the Open Source Security and Risk Analysis (OSSRA) reports.

Our goal is to assess the current state of open source, understand the efficacy of organisations in managing open source risks, and offer guidance to those who are looking to effectively use open source through managing the security threats and license compliance risks that come with it.

Fred Bals, Senior Content Strategist, Black Duck

The just-released 2018 OSSRA report analyses the audit results of over 1,100 commercial codebases from over 500 organisations.

In creating the report, we wanted to answer such questions as: How much open source is being used? What are the common open source security issues organisations face? What about the license risks? Just how many vulnerabilities should we expect to find, and which are the most common? Which industries do well in managing open source risks, and which expose their applications to greater risk? What type of progress do we see in open source risk management from last year?

We found answers to these questions and many more. Some results were expected, like the fact that almost every codebase we analysed (96%) contained open source. The reasons are straightforward—open source lowers development costs, speeds time to market, and accelerates innovation and developer productivity.

Some results were surprising. For example, we found an average of 257 open source components per codebase, a 134% increase from last year’s OSSRA report. But, we also found that the growth in open source use did not mean an equivalent growth in open source risk management. In fact, the opposite appears to be true. Seventy-eight percent of the codebases analysed contained at least one vulnerability, up from 67% last year.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

A Growing Number of Open Source Vulnerabilities are Accumulating in Codebases

Another important data point found by the scans was that the average age of the vulnerabilities discovered is increasing. On average, vulnerabilities identified in the audits were disclosed nearly six years ago— vs. the four years reported in 2017—suggesting that those responsible for remediation are taking longer to remediate, if remediating at all, and are allowing a growing number of open source vulnerabilities to accumulate in their codebases.

An example of this is the Apache Struts vulnerability that resulted in the Equifax breach, compromising the information of over 148 million U.S. consumers, nearly 700,000 U.K. residents, and more than 19,000 Canadian customers. The Struts vulnerability was made public and a patch released in early March of 2017. The Equifax breach—enabled by an unpatched version of Struts that the credit agency had in use—was announced in September of 2017. The subsequent publicity would have made it difficult for anyone concerned with application security not to be aware of the need to patch any vulnerable version of Struts they might have in use.

Yet, neither the vulnerability disclosure nor the Equifax news seemed to have little effect on prompting other organisations to investigate their applications for the Struts vulnerability. Eight percent of the audited codebases were found to contain Apache Struts, and of those, 33% still contained the Struts vulnerability that resulted in the Equifax breach.

Similarly, 17% of the audited codebases contained a named vulnerability, such as Heartbleed, Logjam, or Poodle, a remarkable figure given that named vulnerabilities generally receive a high level of publicity. Poodle was found in 8% of the codebases scanned, Freak and Drown were found in 5% and—discouragingly—Heartbleed was found in 4% of the scanned codebases, even more than four years after its disclosure and several well-publicised exploits.

Two Misconceptions about the OSSRA Reports

Each year after publishing an OSSRA report the authors face two regular criticisms; one being that we are arguing for the use of proprietary software over open source, the other that we claim that open source is less secure than proprietary alternatives.

Outside of the fact that Black Duck by Synopsys would no longer be in business if open source disappeared—our raison d’être is to help organisations identify and manage the open source they use—the debate over open source vs. proprietary use should have ended years ago. Today, most application code is open source. Of the codebases we audited that contained open source, an average of 57% of those codebases were open source components. Many applications now contain more open source than proprietary code, a trend more likely to accelerate than to reverse.

As to security, what we do advocate is the responsible use of open source software, and, as the findings of the 2018 OSSRA report demonstrate, many organisations still have a long way to go towards that goal. All software has vulnerabilities, whether proprietary or open source. Open source is not less secure than proprietary code. But neither is it more secure. The open source community does an exemplary job of discovering and reporting vulnerabilities (over 4,800 reported in 2017 alone), as well as issuing patches, usually at the same time as the public disclosure. But an alarming number of companies simply do not apply patches.

If you don’t have processes and policies in place for open source management—especially for identifying and patching known vulnerabilities in open source components—you’re doing a disservice to the open source community, no matter how much an open source champion you may claim to be. You can read the full 2018 Open Source Security and Risk Analysis report here.


Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.