The potential pitfalls of open source management
84% of codebases contain at least one known open-source vulnerability, a nearly 4% increase from last year, according to Synopsys.
The findings of the report deliver an in-depth look at the current state of open source security, compliance, licensing, and code quality risks in commercial software with the goal of helping security, legal, risk, and development teams better understand the open source security and license risk landscape.
Software inventory
The first step toward reducing business risk from open source, proprietary, and commercial code involves a comprehensive inventory of all software a business uses, regardless of where it comes from or how it’s acquired.
Only with this complete inventory – a Software Bill of Materials (SBOM) – can organizations establish a strategy to address risk stemming from new security disclosures like Log4Shell.
“The 2023 OSSRA report findings underscore the reality of open source as the underlying foundation of most types of software built today,” said Jason Schmitt, GM of the Synopsys Software Integrity Group.
“An increase in the average number of open source components rising 13% (from 528 to 595) in this year’s audits further reinforces the importance of implementing a comprehensive SBOM that lists all open source components in your applications their licenses, versions, and patch status. This is a foundational strategy towards understanding and reducing business risk by defending against software supply chain attacks,” Schmitt continued.
Open source usage overview
A five-year overview of OSSRA data shows dramatic growth in open source use: The global pandemic contributed to the EdTech sector’s adoption of open source, which grew by 163%, with educational courses and instructor/student interactions increasingly pushed online. Other sectors experiencing a large spike in open source growth include the aerospace, aviation, automotive, transportation, and logistics sector with a 97% increase and 74% growth in manufacturing and robotics.
High-risk vulnerabilities over the past five years have also increased at an alarming rate: Since 2019, high-risk vulnerabilities in the retail and eCommerce sector jumped by 557%. Comparatively, the IoT sector, with 89% of the total code being open source, saw a 130% increase in high-risk vulnerabilities in the same period. Similarly, the aerospace, aviation, automotive, transportation and logistics vertical was found to have a 232% increase in high-risk vulnerabilities.
Use of open source components with no licenses puts organizations at greater risk of violating copyright law than those using licensed components: The report found that 31% of codebases use open source with no discernable license or with customized licenses. This is a 55% increase from last year’s OSSRA report. The lack of a license associated with open source code, or a variant of another open source license may place undesirable requirements on the licensee and will often require legal evaluation for possible IP issues or other legal implications.
Available code quality and security patches are not applied to most codebases: Of the 1,480 audited codebases that included risk assessments, 91% contained outdated versions of open-source components. Unless an organization keeps an accurate and up-to-date SBOM, an outdated component can be forgotten until it becomes vulnerable to a high-risk exploit.
Managing open source
“The key to managing open source risk at the speed of modern development is maintaining complete visibility of application contents,” said Mike McGuire, senior software solutions manager within the Synopsys Software Integrity Group.
“By building this visibility into the application lifecycle, businesses can arm themselves with the information needed to make informed, timely decisions regarding risk resolution. Organizations leveraging any type of thirdparty software should rightfully assume that it contains open source. Verifying this, and staying on top of the associated risk, is as simple as obtaining an SBOM – something easily provided by a vendor taking the necessary steps to secure their software supply chain,” McGuire concluded.
The report examines the results of more than 1,700 audits of commercial and proprietary codebases involved in merger and acquisition transactions and highlights trends in open source usage across 17 industries.