In this AppSec Decoded interview, we discuss the security and legal risks companies face when open source security vulnerabilities are ignored.
Last week Synopsys released the “2021 Open Source Security and Risk Analysis” (OSSRA) report, which highlights the state of open source security and license compliance. The report is an analysis of more than 1,500 audits of commercial codebases, performed by the Black Duck® Audit Services team.
One of the most alarming findings from this year’s report is that 91% of codebases contained open source dependencies with no development activity in the last two years. This means that there were no code improvements or security fixes.
Why should organizations, and consumers for that matter, be concerned? In the world of open source security, ignorance is not bliss. If organizations aren’t proactive about vulnerability updates, they run the risk of becoming an easy target for attackers. Additionally, if they fail to comply with open source licenses, they can put their businesses at risk of litigation and open themselves to threats to their intellectual property.
In our latest episode of AppSec Decoded, Taylor Armerding, Synopsys security advocate, discusses the security and legal risks organizations face when vulnerabilities are left unresolved.