Posted by Evan Klein on May 15, 2018
2017 was a tumultuous year in the world of open source software. A massive data breach at Equifax exposed millions of U.S., U.K., and Canadian residents’ sensitive personal and financial information and gained widespread media attention. As open source software becomes embedded in our everyday lives, not only through our phones and computers but through our automobiles, medical devices, home appliances, even our voting systems, newsworthy hacks have become a common occurrence, and the need for security has become all too obvious. Government agencies are racing to address and regulate this ever-changing landscape, announcing regulations such as Europe’s General Data Protection Regulation (GDPR), which will be implemented May 25, 2018. Meanwhile, violations of open source license GPL (GNU General Public License) garnered attention in the courts.
To better understand the state of open source use and open source management in organizations worldwide, Synopsys studies the findings from its Black Duck On-Demand open source audits. Building on the findings from last year’s report, Synopsys has now released the 2018 Open Source Security and Risk Analysis (OSSRA) to provide data-driven insights for our customers and for all consumers of and contributors to open source software.
The 2018 OSSRA takes a closer look at open source by examining the events that shaped our industry and by analyzing the audit results from over 1,100 commercial codebases. To achieve the latter, the Synopsys Center for Open Source Research & Innovation (COSRI) collects, anonymizes, and compiles the data from Black Duck On-Demand audits. Our goal with this analysis is to assess the current state of open source, understand the efficacy of organizations in managing open source risks, and offer guidance to those who are looking to effectively use open source by managing the security threats and license compliance risks that come with it.
In creating the report, we wanted to answer such questions as, How much open source is really being used? What are the common open source security issues organizations face? What about the license risks? Just how many vulnerabilities should we expect to find, and which are the most common? Which industries do well in managing open source risks, and which expose their applications to greater risk? What type of progress do we see in open source risk management from last year?
We found answers to these questions and many more. Some results were expected, like the fact that almost every codebase we analyzed (96%) contained open source. Some results were more surprising: We found an average of 257 open source components per codebase, a 134% increase from last year. Such growth in open source use did not coincide with an expansion of open source risk management, however. Seventy-eight percent of codebases analyzed contained at least one vulnerability, up from 67% last year. And even after widespread publicity, 33% of codebases using Apache Struts in an application contained the same vulnerability that resulted in the Equifax exploit.
The findings of the 2018 OSSRA report are a strong indication that organizations still have a long way to go toward instilling proper open source risk management. But there is a clear path forward for these organizations to maximize the benefits of open source while still controlling for risks. The takeaway is that organizations simply need to know what is going into their code. Software composition analysis (SCA) provides the tools needed to effectively identify, manage, and secure open source. In 2018, Synopsys continues to invest in Black Duck to do just that, and to present the industry with as much guidance and insight as it can. Read the full 2018 Open Source Security and Risk Analysis here. And keep an eye out for more reports from us soon.
Get the latest Software Integrity news, thought leadership, and more.