Software Integrity Blog


Audit report shows open source management gaps remain

Taking a look at the findings in the 2017 Open Source Security and Risk Analysis Report

Synopsys is a company that thrives off data. In fact, it’s essential to our business. I’m constantly impressed by the amount of data that we collect and the level to which our employees embrace the data-driven mentality here. We always want to arm our customers with the insights they need to manage their open source as effectively as possible.

So when we have a chance to take a step back and really analyze the state of open source use and open source management at organizations worldwide, we feel it important to provide those data-driven insights to our customers, and to the industry as a whole.

The Open Source Security and Risk Analysis

That’s why we’ve released the 2017 Open Source Security and Risk Analysis (OSSRA). The OSSRA takes a look at Black Duck On-Demand Audits of over 1000 commercial applications to explore the state of open source, understand the progress organizations have made toward managing open source risk, and offer recommendations to help those organizations manage security threats and license risks.

The Synopsys Center for Open Source Research & Innovation (COSRI) collects, anonymizes, and compiles this data from Black Duck’s audits for analysis. We use this to drive a comprehensive understanding of our audit results and to answer some broad, higher level questions, and some deeper questions. We wanted to know, among other things:

  • How much open source is being used?
  • Which components and even versions are most popular?
  • What licenses are most common?
  • Which components pose the highest security threat to applications?
  • Where do the most vulnerabilities show up and how long have they been there?
  • Which industries are managing open source well and which are putting their applications at risk?

OSSRA’s surprising results

It’s no surprise that almost all the applications scanned in this analysis utilized open source. However, OSSRA did provide some surprising results: Applications on average had 147 unique open source components. The report revealed some troubling news: 67% applications with open source had vulnerabilities, and legal risks were even more widespread. OSSRA even came to alarming industry-level realizations: The Financial Services industry (known to spend a great deal of money on cybersecurity) was among the worst at managing open source security. It’s clear from the analysis that most organizations have a long way to go in managing their open source.

The upshot: Know your code

While today’s open source management landscape looks substandard at best, OSSRA also points out that there’s a path forward for organizations who want to do better, providing steps they can take to defend against security threats and license risks. The key takeaways here are:

  1. Make sure you have a full and accurate inventory of the open source in your applications
  2. Map your open source to known security vulnerabilities referenceable at public sources like the National Vulnerability Database 
  3. Track and manage the license and quality risks in your code
  4. Set and enforce open source risk policies to mitigate the risks to your organization
  5. Monitor for new security threats being revealed every day

Organizations continue to take advantage of the many benefits of open source in application development, building applications cheaper, faster, and with increased feature functionality. Black Duck will continue to provide the guidance and insights, as well as the tools, these organizations need to effectively manage the risks of open source use. Check out the full 2017 Open Source Security and Risk Analysis. And look out for more reports coming out soon.