Open source is everywhere, as is the need to properly manage it. Get the latest open source trends from the 2023 OSSRA report.
It’s that time of year again: Now in its 8th edition, the Synopsys “Open Source Security and Risk Analysis” (OSSRA) report launched earlier this week.
This year’s report, produced by the Synopsys Cybersecurity Research Center (CyRC), examines the results of more than 1,700 audits of commercial codebases performed by the Black Duck® Audit Services team, primarily for merger and acquisition (M&A) transactions. Synopsys shares OSSRA findings each year with the goal of helping security, legal, risk, and development teams better understand the open source security and license risk landscape. Examining trends in open source usage and industry insights can help developers understand the interconnected software ecosystem they are a part of.
Three of the 17 industry sectors represented in the 2023 OSSRA report—Aerospace, Aviation, Automotive, Transportation, Logistics; EdTech; and Internet of Things—contained open source in 100% of their audited codebases. The remaining verticals had open source in upwards of 92% of their codebases.
The Synopsys Audit team conducts audits of thousands of codebases for customers each year, with the primary aim of identifying a range of software risks during M&A transactions. Despite 2022’s economic ambiguity and a corresponding slowdown in tech M&As, audit numbers remained promisingly strong.
New this year, a five-year look-back provided a broader view of open source and security trends. The total percentage of open source in audited codebases by industry, though varied, increased across the board. The same is true for vulnerabilities, where certain industries showed concerning jumps in vulnerabilities, indicating a lack of vulnerability mitigation activity.
While the decrease in high-risk vulnerabilities is encouraging, the fact remains that more than half the codebases audited contained license conflicts, and nearly half contained high-risk vulnerabilities. Even more troubling was that of the 1,703 codebases that included risk assessments, 91% contained outdated versions of open source components. That is, an update or patch was available but not applied.
There are justifiable reasons for not keeping software up-to-date, but it’s likely that a large percentage of the 91% is due to DevSecOps teams not being aware that a newer version of an open source component is available. Unless an organization keeps an accurate and up-to-date inventory of the open source used in its code, the component can be forgotten until it becomes vulnerable to a high-risk exploit. And then the scramble to identify where it’s being used and to update it is on.
That’s precisely what occurred with Log4J, and over a year later, it still persists. Despite the media attention it received and the numerous avenues organizations can take to confirm its presence in their codebase (and remediate it), Log4J remains. Vulnerable versions of Log4J were identified in 5% of the total codebases, and in 11% of audited Java codebases.
By now, anyone remotely involved in software security is likely concerned with the software supply chain. In today’s climate of near-constant supply chain attacks, the numbers yielded by this report take on extra urgency. Organizations wondering where to start should consider the management of open source and third-party code in their applications as step 1.
Managing this code entails gaining complete visibility into dependencies. In 2023, 96% of commercial code contains open source, so getting visibility into the components used in your applications should be a baseline requirement for any modern DevSecOps program. A software Bill of Materials (SBOM) provides this needed insight into business risk and overall security. That means organizations no longer need to trust that they are secure—they can verify it.