Analysis of over 1,200 codebases reveals trends in open source use, security, and license compliance that affect your development, security, and legal teams.
It’s a fact. If you create software today, you’re using open source components.
The latest estimates are that 99% of all but the smallest applications include open source components. What are the chances that your applications are among that other 1%? Less than the chances that you’re among the top 1% on the personal net worth scale.
And while it’s likely you’re using open source, research in the 2019 Open Source Security and Risk Analysis (OSSRA), an annual report published this week by the Synopsys Cybersecurity Research Center (CyRC), examines trends in open source. CyRC is an initiative that leverages Synopsys’ expertise, technology, initiatives, and resources to conduct high-quality software security research to the benefit of the broader security, developer, and DevSecOps communities.
Here are some of the open source trends unearthed in the 2019 OSSRA:
This year’s report, which spans 17 industries, found that the average audited codebase contained 298 open source components, up 16% from 2017. The report digs deeper into the increasing popularity of open source.
As shown in the OSSRA report, even though open source use has become ubiquitous, many teams still aren’t taking adequate measures to address these potential downsides. Find out how the use of open source can lead to more risk and compliance issues.
Open source software itself is no riskier than proprietary or commercial off-the-shelf (COTS) packages. The real risk comes from the way organizations track and manage it—or don’t. This includes the way security patches are distributed, how open source vulnerabilities are monitored and fixed, and how reliably organizations are tracking all the open source components they use.
Equifax is perhaps the most high-profile, stark example of this. The catastrophic breach of the credit reporting giant in 2017 was the result of a failure to patch a vulnerability in the open source web application framework Apache Struts. Did they see the security alerts? They did, but they didn’t patch their applications, because they weren’t tracking the fact that they were using Apache Struts in them.
But you’re not alone. Of the applications audited in 2018, 60% had vulnerabilities—and while that’s concerning, it’s a marked improvement from 78% in 2017. The way to avoid that kind of risk is through an automated solution to track and manage the open source components you use. It may sound like a cliché (though it’s true), but you can’t patch it if you don’t know you’re using it.
As shown in the report, the 20 most popular open source licenses cover about 98% of the open source in use. What about the 2,480+ other licenses? Plus, even if open source components have no identifiable license terms, you’re not off the potential litigation hook. Black Duck Audits found that 75% of companies had codebases with unknown licenses. In general, the absence of a license means no one can use, modify, or share the software without the explicit permission of its creators. This is because creative work (which includes code) is under exclusive copyright by default.
Obviously, it’s not enough simply to be aware of open source trends. Knowing what other organizations are doing is a step in the right direction. But the best way to realize the benefits of open source and avoid the downsides is to track it—all of it—so you can mitigate both security and legal risks. Find out how to mitigate your open source security and license risks.