“The growth in open source use did not mean an equivalent growth in open source risk management”
As part of Synopsys’ software composition analysis (SCA) offerings, the Black Duck On-Demand audit services group performs open source security audits for organisations looking to assess license compliance and security risks of a particular application or codebase.
The Synopsys Center for Open Source Research & Innovation (COSRI) collects, anonymises, and compiles data from those audits to produce the Open Source Security and Risk Analysis (OSSRA) reports.
Our goal is to assess the current state of open source, understand the efficacy of organisations in managing open source risks, and offer guidance to those who are looking to effectively use open source through managing the security threats and license compliance risks that come with it.
The just-released 2018 OSSRA report analyses the audit results of over 1,100 commercial codebases from over 500 organisations.
In creating the report, we wanted to answer such questions as: How much open source is being used? What are the common open source security issues organisations face? What about the license risks? Just how many vulnerabilities should we expect to find, and which are the most common? Which industries do well in managing open source risks, and which expose their applications to greater risk? What type of progress do we see in open source risk management from last year?
We found answers to these questions and many more. Some results were expected, like the fact that almost every codebase we analysed (96%) contained open source. The reasons are straightforward—open source lowers development costs, speeds time to market, and accelerates innovation and developer productivity.
Some results were surprising. For example, we found an average of 257 open source components per codebase, a 134% increase from last year’s OSSRA report. But, we also found that the growth in open source use did not mean an equivalent growth in open source risk management. In fact, the opposite appears to be true. Seventy-eight percent of the codebases analysed contained at least one vulnerability, up from 67% last year.
A Growing Number of Open Source Vulnerabilities are Accumulating in Codebases
Another important data point found by the scans was that the average age of the vulnerabilities discovered is increasing. On average, vulnerabilities identified in the audits were disclosed nearly six years ago— vs. the four years reported in 2017—suggesting that those responsible for remediation are taking longer to remediate, if remediating at all, and are allowing a growing number of open source vulnerabilities to accumulate in their codebases.
An example of this is the Apache Struts vulnerability that resulted in the Equifax breach, compromising the information of over 148 million U.S. consumers, nearly 700,000 U.K. residents, and more than 19,000 Canadian customers. The Struts vulnerability was made public and a patch released in early March of 2017. The Equifax breach—enabled by an unpatched version of Struts that the credit agency had in use—was announced in September of 2017. The subsequent publicity would have made it difficult for anyone concerned with application security not to be aware of the need to patch any vulnerable version of Struts they might have in use.
Yet, neither the vulnerability disclosure nor the Equifax news seemed to have little effect on prompting other organisations to investigate their applications for the Struts vulnerability. Eight percent of the audited codebases were found to contain Apache Struts, and of those, 33% still contained the Struts vulnerability that resulted in the Equifax breach.
Similarly, 17% of the audited codebases contained a named vulnerability, such as Heartbleed, Logjam, or Poodle, a remarkable figure given that named vulnerabilities generally receive a high level of publicity. Poodle was found in 8% of the codebases scanned, Freak and Drown were found in 5% and—discouragingly—Heartbleed was found in 4% of the scanned codebases, even more than four years after its disclosure and several well-publicised exploits.
Two Misconceptions about the OSSRA Reports
Each year after publishing an OSSRA report the authors face two regular criticisms; one being that we are arguing for the use of proprietary software over open source, the other that we claim that open source is less secure than proprietary alternatives.
Outside of the fact that Black Duck by Synopsys would no longer be in business if open source disappeared—our raison d’être is to help organisations identify and manage the open source they use—the debate over open source vs. proprietary use should have ended years ago. Today, most application code is open source. Of the codebases we audited that contained open source, an average of 57% of those codebases were open source components. Many applications now contain more open source than proprietary code, a trend more likely to accelerate than to reverse.
As to security, what we do advocate is the responsible use of open source software, and, as the findings of the 2018 OSSRA report demonstrate, many organisations still have a long way to go towards that goal. All software has vulnerabilities, whether proprietary or open source. Open source is not less secure than proprietary code. But neither is it more secure. The open source community does an exemplary job of discovering and reporting vulnerabilities (over 4,800 reported in 2017 alone), as well as issuing patches, usually at the same time as the public disclosure. But an alarming number of companies simply do not apply patches.
If you don’t have processes and policies in place for open source management—especially for identifying and patching known vulnerabilities in open source components—you’re doing a disservice to the open source community, no matter how much an open source champion you may claim to be. You can read the full 2018 Open Source Security and Risk Analysis report here.