What’s new in the 2021 ‘Open Source Security and Risk Analysis’ report

As the use of open source has grown, so has the number of vulnerabilities. Uncover the latest findings from the 2021 OSSRA report.

OSSRA 21.png

Open source libraries are the foundation for every application in every industry. But paralleling the popularity of open source is a growth in risk—specifically around open source licensing, security, code quality, and especially open source sustainability.

The sixth edition of the Synopsys Cybersecurity Research Center’s (CyRC) annual “Open Source Security and Risk Analysis” (OSSRA) report includes recommendations to help open source developers and consumers better understand the software ecosystem they are part of, as well as the risks that come with unmanaged open source development and use.

Over 1,500 codebases were audited by the Synopsys Black Duck® Audit Services team during 2020, both to support merger and acquisition transactions and to provide customers with inventories (better known as Bills of Materials) of the open source, third-party code, web services, and APIs used in their applications.

Download the 2021 OSSRA report

Growth in open source means growth in open source vulnerabilities

As with earlier years, the percentage of codebases found to contain open source was overwhelming—98%. But with the amazing growth of open source is a corresponding growth in open source risk—especially around vulnerabilities that can affect the security and stability of the applications dependent on open source libraries.

A full 84% of the 1,500+ audited codebases contained at least one public open source vulnerability—a 9% increase from the 75% of 2019 and the second-highest increase since 2017. The percentage of codebases containing high-risk open source vulnerabilities rose to 60% in 2020, a dramatic increase from the 49% of 2019.

Parallels between the ‘State of Mobile Application Security’ and OSSRA reports

The OSSRA results parallel the findings of the CyRC’s 2021 “Peril in a Pandemic: State of Mobile Application Security” report published earlier this year. For that report, CyRC researchers used binary analysis to scan over 3,000 of the most popular Android applications in the Google Play Store. Over 98% of those applications contained open source—and 63% contained vulnerable open source libraries. Nearly half of the open source vulnerabilities scanned for that report were identified as high risk.

The “Peril in a Pandemic: State of Mobile Application Security” report shows the clear impact the COVID-19 pandemic has had on the growth of mobile app downloads, as well as a corresponding likelihood that open source vulnerabilities will be present in those apps. Similarly, the number of open source vulnerabilities increased in the audits reported in the 2021 OSSRA, and that increase is especially pronounced when looking at industry breakdowns.

OSSRA 212.png

The pandemic has meant explosive growth in both apps and vulnerabilities

Despite lockdowns and work-from-home policies, businesses still need to seek prospects, close deals, communicate with and support customers—all of which engendered a significant increase in the use of customer relationship technologies during 2020.

The OSSRA data notes that 100% of the companies audited in the marketing tech industry category—which includes lead generation, CRM, and social media—contained open source in their codebases. Ninety-five percent of the marketing tech codebases also contained open source vulnerabilities. Seventy-one percent of the audited retail and e-commerce codebases contained vulnerabilities. Both the financial services/fintech and the healthcare industry sectors had codebases with open source vulnerabilities exceeding 60%.

The problem of open source sustainability

Of the codebases examined in 2020, a staggering 91% contained open source dependencies that had had no development activity in the last two years. That means 91% of the audited codebases contained open source dependencies with no feature upgrades, no code improvements, and no security issues fixed over the past two years.

Additionally, 85% of the codebases had open source dependencies that were more than four years out-of-date. That is, the codebases were using an open source library with newer versions available—often with many newer versions available.

How to manage a dynamic open source risk landscape

As open source use increases, managing a dynamic, changing risk landscape is becoming more difficult. To meet the challenge, development teams need reliable and timely open source vulnerability information, a comprehensive inventory of the open source dependencies their software uses, accurate guidance on vulnerability severity and exploitability, and clear direction on how to patch the affected open source.

Information: Unlike commercial software, keeping open source software up-to-date relies on consumers to download upgrades and fixes rather than have patches pushed to them. Development teams need reliable and timely sources of vulnerability data, and ideally have that information pushed to them via the alert systems they use every day (such as email, Slack, and Teams).

Inventory: To fix an open source vulnerability, teams have to first know the open source is there. Pinpointing vulnerable components in applications depends on identifying and inventorying all open source in the software.

Focus: Even armed with an inventory and a list of known open source vulnerabilities, development teams still often lack the time and resources to fix everything immediately. Getting concise information on the severity, exploitability, and impact of a vulnerability can be vital to ensuring the focus is on fixing on the most critical issues first.

Direction: The final piece of the puzzle is how to actually make the fix. Clear and concise patch information attached to an alert can arm the team with the information needed to quickly apply the fix.

OSSRA 213.png

Fred Bals

Posted by

Fred Bals

Fred Bals

Fred is a senior technical writer at Synopsys. He is a Mini Cooper fanboy and has worked for both Google and Bob Dylan at various points in his career.

More from Open source and software supply chain risks