2023 OSSRA: A deep dive into open source trends
Open source is everywhere, as is the need to properly manage it. Get the latest open source trends from the 2023 OSSRA report.
It’s that time of year again: Now in its 8th edition, the Synopsys “Open Source Security and Risk Analysis” (OSSRA) report launched earlier this week.
This year’s report, produced by the Synopsys Cybersecurity Research Center (CyRC), examines the results of more than 1,700 audits of commercial codebases performed by the Black Duck® Audit Services team, primarily for merger and acquisition (M&A) transactions. Synopsys shares OSSRA findings each year with the goal of helping security, legal, risk, and development teams better understand the open source security and license risk landscape. Examining trends in open source usage and industry insights can help developers understand the interconnected software ecosystem they are a part of.
Open source trends uncovered in the 2023 OSSRA
All industries studied contained a high percentage of open source
Three of the 17 industry sectors represented in the 2023 OSSRA report—Aerospace, Aviation, Automotive, Transportation, Logistics; EdTech; and Internet of Things—contained open source in 100% of their audited codebases. The remaining verticals had open source in upwards of 92% of their codebases.
Despite economic uncertainty, audit numbers remained strong
- A total of 1,703 codebases were audited by Synopsys during 2022, of which 96% contained open source.
The Synopsys Audit team conducts audits of thousands of codebases for customers each year, with the primary aim of identifying a range of software risks during M&A transactions. Despite 2022’s economic ambiguity and a corresponding slowdown in tech M&As, audit numbers remained promisingly strong.
Organizations aren’t fixing high-risk vulnerabilities
- Since 2019, all 17 industries in the OSSRA have seen at least a 42% increase in high-risk vulnerabilities, with increases skyrocketing to + 557% in the Retail and eCommerce sectors, and +317% in the Computer Hardware and Semiconductors industry.
New this year, a five-year look-back provided a broader view of open source and security trends. The total percentage of open source in audited codebases by industry, though varied, increased across the board. The same is true for vulnerabilities, where certain industries showed concerning jumps in vulnerabilities, indicating a lack of vulnerability mitigation activity.
Patch management is still a challenge
- Of the 1,481 of the audited codebases that included security and operational risk assessments, 84% contained at least one vulnerability. And 48% contained at least one high-risk vulnerability, down only 2% from last year.
- From an operational risk/maintenance perspective, 89% of the 1,703 codebases contained open source that was more than four years out-of-date (a 5% increase from 2022’s report). And 91% used components that were not the latest available version.
License conflicts, Log4J endure
- This year, 54% of audited codebases contained codebases with license conflicts, up 2% from last year.
While the decrease in high-risk vulnerabilities is encouraging, the fact remains that more than half the codebases audited contained license conflicts, and nearly half contained high-risk vulnerabilities. Even more troubling was that of the 1,703 codebases that included risk assessments, 91% contained outdated versions of open source components. That is, an update or patch was available but not applied.
There are justifiable reasons for not keeping software up-to-date, but it’s likely that a large percentage of the 91% is due to DevSecOps teams not being aware that a newer version of an open source component is available. Unless an organization keeps an accurate and up-to-date inventory of the open source used in its code, the component can be forgotten until it becomes vulnerable to a high-risk exploit. And then the scramble to identify where it’s being used and to update it is on.
That’s precisely what occurred with Log4J, and over a year later, it still persists. Despite the media attention it received and the numerous avenues organizations can take to confirm its presence in their codebase (and remediate it), Log4J remains. Vulnerable versions of Log4J were identified in 5% of the total codebases, and in 11% of audited Java codebases.
Steps toward smarter open source management
By now, anyone remotely involved in software security is likely concerned with the software supply chain. In today’s climate of near-constant supply chain attacks, the numbers yielded by this report take on extra urgency. Organizations wondering where to start should consider the management of open source and third-party code in their applications as step 1.
Managing this code entails gaining complete visibility into dependencies. In 2023, 96% of commercial code contains open source, so getting visibility into the components used in your applications should be a baseline requirement for any modern DevSecOps program. A software Bill of Materials (SBOM) provides this needed insight into business risk and overall security. That means organizations no longer need to trust that they are secure—they can verify it.
