Posted by Synopsys Editorial Team on Monday, May 21st, 2018
We audited 1,100 codebases in 2017 for open source components, vulnerabilities, and licenses. Here are some highlights from the 2018 OSSRA report.
Black Duck On-Demand’s audits of over 1,100 commercial applications in 2017 highlight the ongoing challenges organizations face in effectively identifying and securing open source.
Open source lowers development costs, speeds time to market, and accelerates innovation and developer productivity. 96% of the applications used open source. They had an average of 257 unique open source components each.
Many applications now contain much more open source than proprietary code. The average percentage of open source per codebase (57%) was up from last year (36%).
Over 4,800 open source vulnerabilities were reported in 2017. 78% of the codebases had at least one vulnerability, with an average of 64 each.
The Internet of Things (IoT) encompasses a wide range of devices, from smart refrigerators to insulin pumps. IoT applications comprised 77% open source components. They had an average of 677 vulnerabilities each.
The most common high-risk components included Zlib, Pivotal Spring Framework, and Apache Tomcat.
These included named vulnerabilities such as Heartbleed, Logjam, Freak, Drown, and Poodle. 17% of the codebases contained a highly publicized vulnerability. 33% of the codebases using Apache Struts contained the vulnerability that resulted in the Equifax breach (CVE-2017-5638).
In the telecommunications and wireless industry, 100% of applications had license conflicts. Among all audits, 74% of the codebases contained components with license conflicts. 44% of all applications had GNU General Public License (GPL) conflicts.
If an organization isn’t aware of the open source it uses, it can’t defend against common attacks targeting vulnerabilities in those components, and it exposes itself to license compliance risk and the loss of IP.
Get the latest AppSec news and trends sent directly to you.