Software Integrity Blog


Highlights from the 2018 Open Source Security and Risk Analysis Report

We audited 1,100 codebases in 2017 for open source components, vulnerabilities, and licenses. Here are some highlights from the 2018 OSSRA report.

Infographic: Highlights from the 2018 Open Source Security and Risk Analysis report

Download the full report

Black Duck On-Demand’s audits of over 1,100 commercial applications in 2017 highlight the ongoing challenges organizations face in effectively identifying and securing open source.

Open source components are essential to application development.

Open source lowers development costs, speeds time to market, and accelerates innovation and developer productivity. 96% of the applications used open source. They had an average of 257 unique open source components each.

Open source is ubiquitous in both commercial and internal applications.

Many applications now contain much more open source than proprietary code. The average percentage of open source per codebase (57%) was up from last year (36%).

Organizations are not addressing open source threats effectively.

Over 4,800 open source vulnerabilities were reported in 2017. 78% of the codebases had at least one vulnerability, with an average of 64 each.

Organizations planning to use IoT technology need to be aware of open source use.

The Internet of Things (IoT) encompasses a wide range of devices, from smart refrigerators to insulin pumps. IoT applications comprised 77% open source components. They had an average of 677 vulnerabilities each.

Every industry vertical uses open source components.

The most common high-risk components included Zlib, Pivotal Spring Framework, and Apache Tomcat.

  • Aerospace, Aviation, Automotive, Transportation Logistics: 53%
  • Big Data, AI, BI, Machine Learning: 45%
  • Computer Hardware & Semiconductors: 74%
  • Cyber Security: 36%
  • Ed Tech: 45%
  • Energy & Clean Tech: 11%
  • Enterprise Software/SaaS: 46%
  • Financial Services & FinTech: 27%
  • Healthcare, Health Tech, Life Science: 48%
  • Internet & Mobile Apps: 57%
  • Internet of Things: 77%
  • Internet & Software Infrastructure: 65%
  • Manufacturing, Industrials, Robotics: 32%
  • Marketing Tech: 76%
  • Retail & E-commerce: 71%
  • Telecommunications & Wireless: 64%
  • Virtual Reality, Gaming, Entertainment, Media: 70%

On average, the vulnerabilities identified were publicly known for nearly 6 years.

These included named vulnerabilities such as Heartbleed, Logjam, Freak, Drown, and Poodle. 17% of the codebases contained a highly publicized vulnerability. 33% of the codebases using Apache Struts contained the vulnerability that resulted in the Equifax breach (CVE-2017-5638).

Open source components are governed by one of about 2,500 open source licenses.

In the telecommunications and wireless industry, 100% of applications had license conflicts. Among all audits, 74% of the codebases contained components with license conflicts. 44% of all applications had GNU General Public License (GPL) conflicts.

If an organization isn’t aware of the open source it uses, it can’t defend against common attacks targeting vulnerabilities in those components, and it exposes itself to license compliance risk and the loss of IP.


More by this author