Open Source Risks Are Still A Challenge, But Organisations Are More Aware.

A report on 1,200 commercial applications and libraries reveals the current state of open source adoption, and the challenges it poses for enterprises

Synopsys Cybersecurity Research Centre (CyRC) has recently published a report examining 1,200 audits of commercial applications and libraries. Conducted by the Black Duck Audit Services team, these collected information about open source use, the security of its components, and licence conflicts.

The 2019 Open Source Security and Risk Analysis (OSSRA) report crunched the data collected during those audits to provide an overall picture of the state of open source use, highlighting the trends that present risk management challenges to organisations.

The figures analysed indicated that many organisations have reached higher awareness of the challenges that open source components present, and consequently improved their ability to manage that risk. This is perhaps also due to the maturation of commercial software composition analysis solutions, which allow organisations to stay on top of the threats that open source components can pose to their security standpoint.

Tim Mackey, principal security strategist of the Synopsys Cybersecurity Research Centre, described open source as a “vital component in modern software development and deployment”. He does, however, recommend organisations to make sure they have a thorough understanding of how it will impact their security posture, as well as license and compliance.

The report, continues Mackey, shows that there are still significant risks in terms of vulnerability and license conflicts, but also highlights that “these challenges can be addressed, as the number open source vulnerabilities and license conflicts have declined from the previous year.”

They key findings of the report include:

• The number of organisations adopting open source has increased. The average number of open source components contained in the audited codebases was 298 in 2018, a significant increase from the 257 found in 2017. Ninety-six percent of all the codebases analyses had at lease some open source components.
• Open source license conflicts can challenge intellectual property. Sixty-eight percent of codebases contained some form of open source license conflict, and 38% contained open source components with no identifiable license.
• “Legacy” components are still largely used. Eighty-five percent of codebases contained components that were more than four years out-of-date or had no development in the past two years. If a component is inactive and no one is maintaining it, that means no one is addressing its potential vulnerabilities.
• Open source components’ vulnerabilities are often unpatched. The average age of vulnerabilities identified in 2018 Black Duck Audits was 6.6 years, slightly higher than 2017—suggesting remediation efforts haven’t improved significantly. Forty-three percent of the codebases scanned in 2018 contained vulnerabilities over 10 years old. When viewed against the backdrop of the National Vulnerability Database adding over 16,500 new vulnerabilities in 2018, its clear patch processes need to scale to accommodate increased disclosures.
• An alarming number of unpatched open source vulnerabilities are high risk. Over 40% of codebases contained at least one high-risk open source vulnerability.

The report stresses that the problem itself isn’t open source software – it is, in fact, essential to software innovation – but the failure to address proactively the security and license risks that it comes with.

It seems, however, that in the wake of the Equifax breach (caused by a hole in their open source software) organisations are becoming increasingly aware of the risks these components come with.

The 2019 OSSRA report data revealed that, although there is still a significant number of unpatched vulnerabilities, organisations are getting better. Sixty percent of the codebases audited in 2018 contained at least one vulnerability—still significant, but much better than the figure of 78% from 2017.

Furthermore, license conflicts are being addressed more consistently. Sixty-eight percent of the 2018 audited codebases contained components with license conflicts, compared to 74% in 2017.

Overall, the report paints both an encouraging picture and a worrying one. Organisations seem to be heading in the right direction in terms of taking ownership of the risks open source components can open them up to, but there is still a long way to go before those are really minimised.