Sapsiwai - Fotolia
A software audit conducted for the Black Duck 2017 Open Source Security and Risk Analysis (OSSRA) has found that financial applications had an average of 52 open source vulnerabilities.
Black Duck’s Centre for Open Source Research and Innovation (COSRI) analysed 1,071 applications that were audited during 2016.
The audit reported that 96% of applications across all industry sectors contained open source and a large proportion were vulnerable to open source security issues.
Overall, 60% of the applications audited contained high-risk vulnerabilities. The retail and e-commerce industry had the highest proportion of applications with high-risk open source vulnerabilities, with 83% of audited applications containing high-risk vulnerabilities.
Chris Fearon, director at Black Duck’s Open Source Security Research Group, COSRI’s security research arm, said: “The results of the COSRI analysis clearly demonstrate that organisations in every industry have a long way to go before they are effective at managing their open source.”
Black Duck said every version of Linux, PHP, Ruby on Rails and MS.Net contained high-risk vulnerabilities.
A recent presentation at the Cloud Native Computing Forum, which weighed up whether open source was more or less secure than commercial software, highlighted a number of common vulnerabilities. Heartbleed, for instance, was caused by a buffer overflow in the OpenSSL code. Shellshock was a security flaw in Linux’s Bash (Bourne Again Shell) scripting language. This particular flaw was present in the original code used by Linus Torvalds, Linux’s creator, in 1991, which raised the question of why it had not been discovered and patched earlier.
Unlike commercial software, where updates are automatically “pushed” to users, open source has a “pull” support model. This means users are responsible for keeping track of vulnerabilities as well as fixes and updates for the open source they use.
Black Duck CEO Lou Shipley said: “Exploits of open source vulnerabilities are the biggest application security risk that most companies have.”
Open source licence conflicts were also found to be widespread in the audited applications. More than 85% of the analysed applications contained open source components with licence challenges, said Black Duck.
Most open source components are governed by one of about 2,500 known open source licences, and the licence obligations can be tracked and managed if the components themselves are identified, it said.
But Black Duck found that 53% of the applications scanned had unknown licences, which meant no one had permission from the software’s creator to modify or share the code.
Components with no identifiable licence terms are problematic. If software does not have a licence, it generally means that no one has permission from the creator(s) of the software to use, modify, or share it. Creative work, including code, is under exclusive copyright by default, said Black Duck.