2018 Open Source Security and Risk Analysis Report: Each codebase contains an average of 64 vulnerabilities

Synopsys recently released the Black Duck Report on 2018 Open Source Security and Risk Analysis, which provides an in-depth look at open source security, license compliance, and code quality risk in commercial software. This report discusses the results from anonymous data from more than 1,100 commercial code repositories audited in 2017, including automotive, big data (primarily artificial intelligence and business intelligence), network security, enterprise software, and financial services, healthcare, Internet of Things (IoT), manufacturing and mobile applications markets.

Open source software is neither more secure nor more secure than custom code. However, specific features of open source software make vulnerabilities in favourite components desirable to attackers. Black Duck’s audit results show that open source code is now ubiquitous in commercial and internal applications, providing a vibrant environment for attackers when vulnerabilities are disclosed. Vulnerabilities and exploits usually disclose through sources such as the National Vulnerability Database (NVD), mailing lists, and project home pages.

The commercial software automatically pushes updates to users, unlike open source software, which uses a pull support model where users are responsible for tracking vulnerabilities, fixes, and updates to the open source software they use. Open source code can enter the code base in a variety of ways, not only through third-party vendors and external development teams but also through internal developers. If an organisation does not understand all of the open source code it uses, it will not be able to defend against common attacks against known vulnerabilities in these components, and it will itself be exposed to license compliance risks.

In 2017, the Black Duck On-Demand audit found 257 open source components in each code base. By 2018, the number of open source components in each code base has increased by about 75%. The audit found that 96% of scanned applications have open source components, a ratio similar to last year’s report. In the code base of the scanned application, the average proportion of open source code increased from 36% last year to 57%, which indicates that the use of open source code continues to grow substantially, and also indicates that a large number of applications currently include More open source code than proprietary code.

Some open source components are so critical to developers that they can be found in a massive number of applications. This year, Bootstrap, an open source toolkit for developing HTML, CSS, and JavaScript, appears in 40% of all scanned applications; followed by jQuery, with 36% of applications including the open source component. Of the standard elements in every industry, it’s worth noting that Lodash, a JavaScript library that provides utility functions for programming tasks. Lodash is the most commonly used open source component in applications such as healthcare, the Internet of Things, the Internet, marketing, e-commerce, and telecommunications.

The audit also found that the number of open source vulnerabilities in each code base increased by 134%, while 78% of the checked code bases contained at least one weakness, and each code base included an average of 64 vulnerabilities. This high growth rate is partly due to the number of recordable vulnerabilities reported in 2017. Only the US National Vulnerability Database (NVD) lists more than 14,700 vulnerabilities, while in 2016 only 6,400 vulnerabilities were listed. Other reports have a total of more than 20,000 vulnerabilities, of which nearly 8,000 didn’t list in the NVD report. These figures illustrate all known vulnerabilities reported in 2017, but more than 4,800 of them are open source vulnerabilities, which continues the five-year growth trend of known open source vulnerabilities. Over 40,000 open source vulnerabilities have been reported in the past 17 years.

Another important data point revealed by the scan is that the average age of the vulnerabilities found is increasing. On average, the vulnerabilities found in the audit were disclosed about six years ago, while the 2017 report showed that it was disclosed four years ago. This shows that the person responsible for the repair work takes longer to complete the fix (if they are working on it), which makes more and more vulnerabilities accumulate in the code base.

Also, these open source components are also subject to widespread licensing issues, and companies are less likely to use traditional spreadsheet methods to track such a large number of licensing obligations, which could be impossible without an automated process. This also resulted in 74% of the audited code bases containing components with license conflicts, the most common of which was a violation of the GPL license agreement, which existed in 44% of the code base. Of the code bases that the report is auditing, 85% either have a license conflict or contain components that do not have a license.

Among them, the Internet and software infrastructure vertical industry applications accounted for the highest proportion of high-risk open source vulnerabilities, 67%; followed by the Internet and mobile applications industry, the portion was 60%. Ironically, the network security industry is still found to have a high percentage of high-risk open source vulnerabilities, although it is still below the 59% last year, but even as high as 41%, making the vertical industry the fourth highest.

In the financial services and financial technology markets, 34% of scanned applications contain high-risk vulnerabilities, followed by applications in the verticals of healthcare, health technology and life sciences, with 31% of applications containing high-risk vulnerabilities. Manufacturing, industrial and robotics have the lowest percentage in this regard, at 9%, probably because OEMs are putting pressure on suppliers across the software supply chain to provide censored, clean code. In contrast, the vertical manufacturing sector has the third largest license conflict in all vertical industries, with a 91% share.

In fact, according to the audit data provided by Black Duck On-Demand, all vertical industry companies should pay attention to the open source license issue, and should also pay attention to the code caused by failure to comply with the open source license agreement. The potential risks of intellectual property litigation or compromise. Applications with license conflicts vary across industries: as low as 61% in the retail and e-commerce industries and high in the telecommunications and wireless industries – 100% of their scanned code exists in some form Open source license conflicts.

The Synopsys Open Source Research and Innovation Center, which is responsible for analysing this report, said that it would not make sense to argue whether open source code should use. It can be proved that at present, most application code is open source. In the audited code base containing open source code, an average of 57% of the code in these code bases are open source components, which proves that many applications currently include more open source code than own code. As open source usage grows, so does the risk, mainly because companies lack the right tools to identify how many or what open source components are used in their internal and public-facing applications. By integrating strategies, processes, and automated solutions into the software development lifecycle to identify, manage, and protect open source code, organisations can maximise the benefits of open source while effectively managing vulnerabilities and licensing risks.

Source: blackducksoftware