I have blogged before about the pervasiveness of open source in applications today. Synopsys and other organizations have been tracking its growth for years, particularly as it relates to the amount of open source code we find in the applications we scan. Our Black Duck On-Demand Audit team scans thousands of applications every year, mostly in M&A scenarios. Many of our customers come to us during their due diligence efforts to offer a third-party assessment of the open source in a codebase, its related license obligations, and potential security risks. This audit data gives us a unique view of the open source landscape.
Posted in Open Source Security, Software Composition Analysis | Comments Off on Open source security risk: Managing the threat in mergers and acquisitions
Open source is everywhere. Researchers have been tracking its growth for years, but because open source is now so pervasive, they are increasingly concerned about the security of applications built on the foundation of open source components. The only way an organization can be sure of the open source in its codebase, other than by meticulously tracking such use by hand, is by performing software composition analysis (SCA). 451 Research defines software composition analysis as “the identification of third-party, primarily open source, libraries that have been built into an application.” This identification capability helps organizations discover unpatched code, licensing issues, and potential security vulnerabilities that may be present in a codebase owing to open source use.
Why software composition analysis?
The simplest use case for SCA is an individual company monitoring and identifying its own use of open source components and frameworks. But in the latest study from 451 Research, they detail other use cases for SCA, the primary use case being in the mergers and acquisitions (M&A) space. As young companies bring new applications to market rapidly, they use increasingly more open source. So in M&A transactions, because management of open source is still relatively immature, the onus shifts to acquiring companies to be aware of the potential risks they may be inheriting along with the intellectual property in these codebases.
Getting a clear picture of open source in enterprise apps
Many statistics out there illustrate how much open source is in the typical software application. However, those stats can be misleading and often tell the wrong story. To get a clearer picture of open source growth for enterprise use, we should look at the percentage of open source in new applications. According to the 2018 Open Source Security and Risk Analysis (OSSRA) report, in more than 1,100 open source audits Black Duck by Synopsys conducted on commercial codebases last year, the average codebase was made up of 57% open source. That means that on average, more than half of each codebase we scanned was made up of open source components. It’s important to note that a key use case for a Black Duck Open Source Audit is M&A due diligence, meaning that the data in the OSSRA report is an excellent indicator of trends in open source in M&A transactions.
Faster delivery means more open source
As 451 Research states in its brief, the trend toward faster, more iterative delivery of applications is not going to abate anytime soon: “The use of open source components in those applications is no longer a novel idea. There is now a generation of developers for whom using code written by a third party, available at no-cost, is as intuitive as any other part of the development lifecycle, and is driven by the delivery demands placed on them.”
Posted in General, Open Source Security, Software Composition Analysis | Comments Off on Software composition analysis & the secret ingredients for a successful M&A
There has been much buzz about the GDPR (Global Data Protection Regulation) set to go into effect in May of 2018. Black Duck discussed the topic in our legal track at the Black Duck FLIGHT 2017 user conference, where Daniel Hedley from Irwin Mitchell looked at how European companies are preparing for GDPR.
Posted in Open Source Security, Security Standards and Compliance | Comments Off on GDPR Readiness Summit: Preparing for May 2018