pixel_dreams - Fotolia
Report highlights security risk of open source code to business
Increased adoption of open source code is introducing vulnerabilities into commercial software, with many audited codebases containing the Apache Struts flaw that enabled the Equifax breach, a report shows
Most software includes known vulnerabilities and licence conflicts as open source adoption soars, a report has revealed.
The Black Duck by Synopsys report is based on analysis of anonymised data from more than 1,100 commercial codebases audited in 2017 across nine industry sectors, including automotive, cyber security, financial services and healthcare.
The 2018 Open source security and risk analysis (OSSRA) report highlighted a substantial uptick in open source adoption, with 96% of the applications scanned containing open source components.
The data also showed that the average number of open source components found per codebase (257) grew by 75% compared with the previous year, with many applications containing more open source than proprietary code.
The report said it was worrying that 78% of the codebases examined contained at least one open source vulnerability, with an average 64 vulnerabilities per codebase.
More than 54% of the vulnerabilities found in audited codebases are considered high-risk vulnerabilities.
A third of the audited codebases that contained Apache Struts also had the vulnerability that resulted in the Equifax breach, while 17% contained a highly publicised vulnerability such as Heartbleed, Logjam, Freak, Drown or Poodle.
“Since modern software and infrastructure depend heavily on open source technologies, having a clear view of components in use is a key part of corporate governance,” said Tim Mackey, technical evangelist at Black Duck by Synopsys.
“The report clearly demonstrates that with the growth in open source use, organisations need to ensure they have the tools to detect vulnerabilities in open source components and manage whatever licence compliance their use of open source may require.”
Open source vulnerabilities wide reaching
Vulnerable open source components were found in applications in every industry. The internet and software infrastructure vertical had the highest proportion, with 67% of applications containing high-risk open source vulnerabilities.
Ironically, the report said 41% of the applications in the cyber security industry were found to have high-risk open source vulnerabilities, putting that vertical at fourth highest risk.
The report showed that organisations were allowing a growing number of vulnerabilities to accumulate in their codebases. On average, vulnerabilities identified in the audits were disclosed nearly six years ago.
Read more about open source software
- Big 10 open source companies give users a licence reprieve.
- The use of open source software is commonplace in enterprises, but many organisations are still reluctant to contribute their own code, despite the benefits it can bring.
- Open source breaks the rules on corporate procurement, but developers never play by the rules and now open source has sneaked in through the back door.
“When Equifax was breached through the Apache Struts vulnerability, the need for open source security management became front-page news,” said Evan Klein, the Black Duck product marketing manager responsible for the OSSRA report.
“Yet even though it was disclosed in March 2017, many organisations apparently still have not checked their applications for the Struts vulnerability.”
Software licence conflicts rife
Based on the findings, 74% of the codebases audited also contained components with licence conflicts, the most common of which were general public licence (GPL) violations.
The percentage of applications with licence conflicts in verticals ranged from the retail and e-commerce industry’s relative low of 61% to the high of the telecommunications and wireless industry, where 100% of the code scanned had some form of open source licence conflict.
As the codebase landscape changes, the report said an organisation’s application security programme also needs to evolve to continue to be effective.
According to the report, no single technique can find every vulnerability, so in addition to static and dynamic code analysis, organisations need to ensure that software composition analysis (SCA) is in their application security toolbelt.
“With the addition of SCA, organisations can effectively detect vulnerabilities in open source components as they manage whatever licence compliance their use of open source may require,” the report said.
By integrating policies, processes and automated solutions into the software development lifecycle to identify, manage and secure open source, the report said organisations could maximise the benefits of open source, while effectively managing its vulnerability and licence risks.