A slight change of pace for this week’s issue of Software Integrity Insight, as we focus on the release of the 2018 Open Source Security and Risk Analysis, which analyzes the audit results of over 1,100 commercial codebases from over 500 organizations and examines the open source security and licensing news of 2017. We think you’ll find some of the results from the report surprising, such as the fact that 33% of the codebases that contained Apache Struts still had the vulnerability that resulted in the Equifax breach. Learn about the open source security risks uncovered, and more, in this week’s Insight.
via Synopsys Software Integrity: To better understand the state of open source use and open source management in organizations worldwide, Synopsys studies the findings from its Black Duck On-Demand open source audits. Building on the findings from last year’s report, Synopsys has now released the 2018 Open Source Security and Risk Analysis (OSSRA) to provide data-driven insights for our customers and for all consumers of and contributors to open source software.
via The Register: The increasing use of open-source components in development may well require changes to procedures and practices. As with traditional closed source, vulnerabilities and security considerations are in need of planning and mitigation, and navigating the array of licence types can be bewildering.
via Synopsys Software Integrity: (video) Taylor Armerding, Synopsys Software Integrity Group senior strategist, gives you the scoop on application security and insecurity, including a look into the 2018 OSSRA Report.
via Help Net Security: The number of open source components in the codebase of proprietary applications keeps rising and with it the risk of those apps being compromised by attackers leveraging vulnerabilities in them, a recent report has shown.
via Synopsys Software Integrity: Check out our infographic highlighting the 2018 Black Duck by Synopsys Open Source Security and Risk Analysis report findings. See what we learned.
via WeLiveSecurity: One-third of audited codebases that contain Apache Struts suffer from the same vulnerability that facilitated the Equifax hack a year ago.
via JAXenter: Open source components are present in an enormous percentage of applications in numerous firms. What does the security overview of open source look like just moments before the GDPR enforcement?
via Software Testing News: The report found that more than 54% of vulnerabilities found in audited codebases are considered high-risk, with 17% of the codebases containing highly publicised vulnerabilities such as Heartbleed, Logjam, Freak, Drown, or Poodle.
via ITWeb: “Identifying exactly what open source code is in your codebase is crucial for properly managing its use and reuse, as well as key to ensuring compliance with software licences, an essential step in reducing business risk,” the report stated. “Failure to comply with open source licences can put businesses at significant risk of litigation and compromise of intellectual property.”
via ZDNet: Vulnerabilities including the bug reportedly responsible for Equifax’s data breach are still common elements of open-source systems used in the enterprise.
via LinuxInsider: “Organizations still have a long way to go on the open source security side of things,” said Tim Mackey, open source technology evangelist at Black Duck by Synopsys.
via SecurityWeek: Open source components have been increasingly used by developers, but failure to patch vulnerabilities in this type of software can pose serious risks.