The Black Duck by Synopsys 2018 Open Source Security and Risk Analysis (OSSRA) report examines findings from the anonymized data of over 1,100 commercial codebases audited in 2017. Industries represented in the report include the automotive, big data, cyber security, enterprise software, financial services, healthcare, Internet of Things (IoT), manufacturing, and mobile app markets.
The report highlights a massive uptick in open source adoption, with 96 percent of the applications scanned containing open source components. The data also shows that the average number of open source components found per codebase (257) grew by 75 percent over the previous year, with many applications containing more open source than proprietary code. What is worrisome is that 78 percent of the codebases examined contained at least one open source vulnerability, with an average 64 vulnerabilities per codebase. Over 54 percent of the vulnerabilities found in audited codebases are considered high-risk vulnerabilities. Seventeen percent of the codebases contained a highly publicized vulnerability such as Heartbleed, Logjam, Freak, Drown, or Poodle.
“Since modern software and infrastructure depend heavily on open source technologies, having a clear view of components in use is a key part of corporate governance,” said Tim Mackey, technical evangelist at Black Duck by Synopsys. “The report clearly demonstrates that with the growth in open source use, organizations need to ensure they have the tools to detect vulnerabilities in open source components and manage whatever license compliance their use of open source may require.”
Vulnerable open source components were found in applications in every industry. The Internet and Software Infrastructure vertical had the highest proportion—67 percent—of applications containing high-risk open source vulnerabilities. Ironically, 41 percent of the applications in the Cyber Security industry were found to have high-risk open source vulnerabilities, putting that vertical at fourth highest risk.
In addition, 33 percent of the audited codebases that contained Apache Struts also contained the vulnerability that resulted in the Equifax breach. The report clearly shows that organizations are allowing a growing number of vulnerabilities to accumulate in their codebases. On average, vulnerabilities identified in the audits were disclosed nearly six years ago.
“When Equifax was breached through the Apache Struts vulnerability, the need for open source security management became front-page news,” said Evan Klein, the Black Duck product marketing manager responsible for the OSSRA report. “Yet even though it was disclosed in March 2017, many organizations apparently still have not checked their applications for the Struts vulnerability.”
Based on the findings, 74 percent of the codebases audited also contained components with license conflicts, the most common of which were GPL license violations. The percentage of applications with license conflicts within verticals ranged from the Retail and E-commerce industry’s relative low of 61 percent to the high of the Telecommunications and Wireless industry—where 100 percent of the code scanned had some form of open source license conflict.
To download the OSSRA report, click here