Every industry sector is dealing with open source security, licence compliance, and maintenance issues
Synopsys, Inc. has released its Open Source Security and Risk Analysis (OSSRA) study for 2021, which examines the findings of over 1,500 commercial codebase audits.
The study, which was created by the Synopsys Cybersecurity Research Center (CyRC) and carried out by the Black Duck Audit Services team, highlights developments in open source use in commercial applications while also offering insights to help commercial and open source developers better understand the integrated software environment in which they operate. It also discusses the numerous threats that unmanaged open source poses, such as security flaws, obsolete or discarded modules, and licence compliance issues.
The vast majority of applications in all sectors are built on open source software. Unfortunately, these sectors are struggling to handle the associated risk to varying degrees. In reality, the study found that 100% of the organisations audited in the marketing tech industry sector, including lead generation CRM, and social media, had open source in their codebases, with open source vulnerabilities in 95% of the marketing tech codebases.
More concerning, the study highlights the widespread use of discarded open source components: 91% of codebases featured open source dependencies that had not been created in the previous two years, implying no code updates or security fixes. This is, however, “not surprising,” according to Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Center. He claims that, “unlike commercial software, where vendors can push information to their users, open source relies on community engagement to thrive.” Projects that aren’t completed aren’t a new issue. The challenge is dealing with the security problems that arise as these unattended projects become more difficult to manage. Nonetheless, Mackey suggests the answer is straightforward: “invest in supporting those projects you depend upon for your success.”
Outdated open source components in commercial applications has become the new standard
Open source dependencies that were more than four years old were found in 85 percent of the codebases. While these obsolete open source components have active developer groups that publish updates and security fixes, their downstream commercial users do not apply them.
Vulnerabilities in open source software are becoming more common
The percentage of codebases containing insecure open source components increased by 9 percent in 2020 compared to the previous year. As a result, the percentage of codebases containing high-risk vulnerabilities increased from 49% to 60%. Indeed, most of the top ten open source vulnerabilities discovered in codebases in 2019 reappeared in 2020 audits, although with significant percentage increases.
Licensing and open source
In 2020, open source software licence disputes were found in 65 percent of codebases audited. Usually, the GNU General Public License was involved. Surprisingly, open source was used in 26% of these codebases, with either no licence or a customised licence. This can result in intellectual property violations as well as other legal issues. To avoid possible conflict, all three of these issues must be carefully analysed, particularly in the context of merger and acquisition transactions.