Open source, open season

1 min read

Last week Synopsys released its Open Source Security and Risk Analysis (OSSRA) report for 2017, and it has raised some serious issues.

Based on the examination of over 1,100 commercial codebases audited last year, this report took a look at the automotive, big data, cyber security, enterprise software, financial services, healthcare, Internet of Things (IoT), manufacturing, and mobile app markets.

It found that there has been a massive increase in open source adoption, with 96 percent of the applications scanned containing open source components. It also found that the average number of open source components per codebase (257) had grown by 75 percent over the previous year, with many applications containing more open source than proprietary code.

Worryingly though, 78 percent of the codebases examined contained at least one open source vulnerability, with an average 64 vulnerabilities per codebase.

Over 54 percent of the vulnerabilities found in audited codebases were considered high-risk, while 17 percent of the codebases contained a highly publicised vulnerability such as: Heartbleed, Logjam, Freak, Drown, or Poodle.

The report found vulnerable open source components in applications across every industry, with the Internet and Software Infrastructure market reporting the highest proportion, and that 67 percent of applications contained high-risk open source vulnerabilities.

Of real concern should be the fact that 41 percent of the applications in the Cyber Security industry were found to have high-risk open source vulnerabilities, putting that vertical at fourth highest risk.

Commenting Tim Mackay, a technical evangelist at Synopsys, said, "Since modern software and infrastructure depend heavily on open source technologies, having a clear view of components in use is a key part of corporate governance. The report clearly demonstrates that with the growth in open source use, organisations need to ensure they have the tools to detect vulnerabilities in open source components and manage whatever license compliance their use of open source may require."

That last point should be of particular concern, as the report found that 74 percent of the codebases audited contained components with license conflicts. The worst offender, the Telecommunications and Wireless industry, saw 100 percent of the code scanned had some form of open source license conflict.

Security is certainly being taken more seriously and has moved centre stage, but as this report shows, there’s a long way to go and it has to be a concern that the majority of software is plagued, the report’s own words, with known vulnerabilities and licence conflicts.