The report provides an in-depth look at the state of open source security, license compliance and code-quality risk in commercial software. That view shows consistent growth over the last year, with the Internet of Things and other spaces showing similar problems.
This is the first report Black Duck has issued since Synopsys acquired it late last year. The Synopsys Center for Open Source Research & Innovation conducted the research and examined findings from anonymized data drawn from more than 1,100 commercial code bases audited in 2017.
The report comes on the heals of heightened alarm regarding open source security management following the major data breach at Equifax last year. It includes insights and recommendations to help organizations’ security, risk, legal, development and M&A teams better understand the open source security and license risk landscape.
The goal is to improve the application risk management processes that companies put into practice.
Industries represented in the report include the automotive, big data (predominantly artificial intelligence and business intelligence), cybersecurity, enterprise software, financial services, healthcare, Internet of Things, manufacturing and mobile app markets.
“The two big takeaways we’ve seen in this year’s report are that the actual license compliance side of things is improving, but organizations still have a long way to go on the open source security side of things,” said Tim Mackey, open source technology evangelist at Black Duck by Synopsys.
Gaining Some Ground
Organizations have begun to recognize that compliance with an open source license and the obligations associated with it really do factor into governance of their IT departments, Mackey told LinuxInsider, and it is very heartening to see that.
“We are seeing the benefit that the ecosystem gets in consuming an open source component that is matured and well vetted,” he said.
One surprising finding in this year’s report is that the security side of the equation has not improved, according to Mackey.
“The license part of the equation is starting to be better understood by organizations, but they still have not dealt with the number of vulnerabilities within the software they use,” he said.
Open source is neither more nor less secure than custom code, based on the report. However, there are certain characteristics of open source that make vulnerabilities in popular components very attractive to attackers.
Open source has become ubiquitous in both commercial and internal applications. That heavy adoption provides attackers with a target-rich environment when vulnerabilities are disclosed, the researchers noted.
Vulnerabilities and exploits are regularly disclosed through sources like the National Vulnerability Database, mailing lists and project home pages. Open source can enter code bases through a variety of ways — not only through third-party vendors and external development teams, but also through in-house developers.
Commercial software automatically pushes updates to users. Open source has a pull support model. Users must keep track of vulnerabilities, fixes and updates for the open source system they use.
If an organization is not aware of all the open source it has in use, it cannot defend against common attacks targeting known vulnerabilities in those components, and it exposes itself to license compliance risk, according to the report.
Asking whether open source software is safe or reliable is a bit like asking whether an RFC or IEEEZededa.
“That is exactly what open source projects are today. They are de facto standardization processes for the software industry,” he told LinuxInsider.
A key question to ask is whether open source projects make it safe to consume what they are producing, incorporating them into fully integrated products, Shaposhnik suggested.
That question gets a twofold answer, he said. The projects have to maintain strict IP provenance and license governance to make sure that downstream consumers are not subject to frivolous lawsuits or unexpected licensing gotchas.
Further, projects have to maintain a strict security disclosure and response protocol that is well understood, and that it is easy for downstream consumers to participate in a safe and reliable fashion.
Better Management Needed
Given the continuing growth in the use of open source code in proprietary and community-developed software, more effective management strategies are needed on the enterprise level, said Shaposhnik.
Overall, the Black Duck report is super useful, he remarked. Software users have a collective responsibility to educate the industry and general public on how the mechanics of open source collaboration actually play out, and the importance of understanding the possible ramifications correctly now.
“This is as important as understanding supply chain management for key enterprises,” he said.
More than 4,800 open source vulnerabilities were reported in 2017. The number of open source vulnerabilities per code base grew by 134 percent.
On average, the Black Duck On-Demand audits identified 257 open source components per code base last year. Altogether, the number of open source components found per code base grew by about 75 percent between the 2017 and 2018 reports.
The audits found open source components in 96 percent of the applications scanned, a percentage similar to last year’s report. This shows the ongoing dramatic growth in open source use.
The average percentage of open source in the code bases of the applications scanned grew from 36 percent last year to 57 percent this year. This suggests that a large number of applications now contain much more open source than proprietary code.
Open source use is pervasive across every industry vertical. Some open source components have become so important to developers that those components now are found in a significant share of applications.
The Black Duck audit data shows open source components make up between 11 percent and 77 percent of commercial applications across a variety of industries.
Eighty-five percent of the audited code bases had either license conflicts or unknown licenses, the researchers found. GNU General Public License conflicts were found in 44 percent of audited code bases.
There are about 2,500 known open source licenses governing open source components. Many of these licenses have varying levels of restrictions and obligations. Failure to comply with open source licenses can put businesses at significant risk of litigation and compromise of intellectual property.
On average, vulnerabilities identified in the audits were disclosed nearly six years ago, the report notes.
Those responsible for remediation typically take longer to remediate, if they remediate at all. This allows a growing number of vulnerabilities to accumulate in code bases.
Of the IoT applications scanned, an average of 77 percent of the code base was comprised of open source components, with an average of 677 vulnerabilities per application.
The average percentage of code base that was open source was 57 percent versus 36 percent last year. Many applications now contain more open source than proprietary code.
Takeaway and Recommendations
As open source usage grows, so does the risk, OSSRA researchers found. More than 80 percent of all cyberattacks happened at the application level.
That risk comes from organizations lacking the proper tools to recognize the open source components in their internal and public-facing applications. Nearly 5,000 open source vulnerabilities were discovered in 2017, contributing to nearly 40,000 vulnerabilities since the year 2000.
No one technique finds every vulnerability, noted the researchers. Static analysis is essential for detecting security bugs in proprietary code. Dynamic analysis is needed for detecting vulnerabilities stemming from application behavior and configuration issues in running applications.
Organizations also need to employ the use of software composition analysis, they recommended. With the addition of SCA, organizations more effectively can detect vulnerabilities in open source components as they manage whatever license compliance their use of open source may require.