Posted by Evan Klein on April 19, 2017
Synopsys is a company that thrives off data. In fact, it’s essential to our business. I’m constantly impressed by the amount of data that we collect and the level to which our employees embrace the data-driven mentality here. We always want to arm our customers with the insights they need to manage their open source as effectively as possible.
So when we have a chance to take a step back and really analyze the state of open source use and open source management at organizations worldwide, we feel it important to provide those data-driven insights to our customers, and to the industry as a whole.
That’s why we’ve released the 2017 Open Source Security and Risk Analysis (OSSRA). The OSSRA takes a look at Black Duck On-Demand Audits of over 1000 commercial applications to explore the state of open source, understand the progress organizations have made toward managing open source risk, and offer recommendations to help those organizations manage security threats and license risks.
The Synopsys Center for Open Source Research & Innovation (COSRI) collects, anonymizes, and compiles this data from Black Duck’s audits for analysis. We use this to drive a comprehensive understanding of our audit results and to answer some broad, higher level questions, and some deeper questions. We wanted to know, among other things:
It’s no surprise that almost all the applications scanned in this analysis utilized open source. However, OSSRA did provide some surprising results: Applications on average had 147 unique open source components. The report revealed some troubling news: 67% applications with open source had vulnerabilities, and legal risks were even more widespread. OSSRA even came to alarming industry-level realizations: The Financial Services industry (known to spend a great deal of money on cybersecurity) was among the worst at managing open source security. It’s clear from the analysis that most organizations have a long way to go in managing their open source.
While today’s open source management landscape looks substandard at best, OSSRA also points out that there’s a path forward for organizations who want to do better, providing steps they can take to defend against security threats and license risks. The key takeaways here are:
Organizations continue to take advantage of the many benefits of open source in application development, building applications cheaper, faster, and with increased feature functionality. Black Duck will continue to provide the guidance and insights, as well as the tools, these organizations need to effectively manage the risks of open source use. Check out the full 2017 Open Source Security and Risk Analysis. And look out for more reports coming out soon.
Get the latest Software Integrity news, thought leadership, and more.