While almost all enterprise environments contain open source applications, organizations still struggle to properly manage the code, according to a Synopsys report.
The 2022 Open Source Security and Risk Analysis (OSSRA) report revealed the sheer volume of open source software in use by enterprises across various industries, as well as challenges related to outdated code and high-risk vulnerabilities such as Log4Shell. While visibility and prioritization issues persist, the report highlighted improvements in a few areas, including growing awareness of open source software.
To compile the report, Synopsys Cybersecurity Research Center, and Black Duck Audit Services reviewed the results of more than 2,400 commercial codebases across 17 industries. While the analysis determined that 97% of codebases contained open source software, a breakdown by industry showed that four contained open source in 100% of their codebases. Areas affected were hardware and semiconductors, cybersecurity, energy and clean technology, and the internet of things.
“Even the sector with the lowest percentage – healthcare, health technology, life sciences – had 93%, which is still very high,” the report said.
Additionally, the report revealed that 78% of the code in the codebases was also open source. Tim Mackey, Senior Security Strategist at Synopsys Cybersecurity Research Center, contributed to the report and told SearchSecurity he was not surprised by the high percentage. It tracks the last four or five years, during which more than two-thirds of the code in the codebases was open source. In 2020, it was 75%. Although the use of open source software varies by industry, Mackey said that’s just the way the world works.
“I suspect that… [we’ll] will likely slip into the 80s over time, but we’re getting closer to the bifurcation of ownership and custom versus open source for most industries,” he said.
One aspect that has accelerated the pace of innovation over the past 10 years is how developers can focus on unique value propositions and features for employers. From there, Mackey said they can access the libraries that do the basic work. The challenge, he said, is that a development team will follow a different set of security rules and release criteria for open source software.
While it might be beneficial for anyone to examine the source code, Mackey said that in practice most people just focus on what it does, download it, and use it. This is where the risk for businesses lies.
Tim MackeySenior Security Strategist, Synopsys Cybersecurity
“So with all the open source powering our modern world, that makes it a prime target to be an attack vector,” he said.
Open source management
A recurring trend in the report is that “open source itself does not create business risk, but its management does”.
Mackey reiterated that sentiment and said companies that switch providers after an incident may be pointing fingers in the wrong direction. He called the problems with open source a “process problem”.
“Open source itself may have a bug, but any other software will have a bug too,” Mackey said.
However, the high volume makes it difficult to maintain. OSSRA determined that 81% of software used by organizations contained at least one vulnerability. The JQuery and Lodash codebases contained the highest percentage of vulnerable components. Spring Framework, which caused problems last month after researchers reported two flaws in the development framework, also made the list in 2021.
Additionally, Black Duck Audit Services risk assessments revealed that out of 2,000 codebases, 88% contained outdated versions of open source components, meaning that “an update or patch was available but not had not been applied”.
More importantly, 85% contained open source code that was out of date for more than four years. This percentage has remained constant over the years, according to Mackey.
He said while more digging is needed to identify the problem, it highlights how the lack of an update process can make it easier to release the date. The sheer volume of open source code is also a problem – there could be hundreds or even thousands of apps, with hundreds of components per app.
“That’s really one of the key points of what we’re seeing consistently is that companies are struggling to figure out what’s really the most efficient way to deal with these kinds of things,” he said. -he declares.
Log4Shell is one of the flaws that gave businesses a management and scale nightmare last year. While the report noted a “decrease in high-risk vulnerabilities, … 2021 was yet another year filled with open source issues.” This included supply chain attacks and Docker image hacker exploits, but “most notably” the zero-day vulnerability in the Apache Log4j utility known as Log4Shell. It allowed attackers to execute arbitrary code on vulnerable servers, according to the report.
“What is most remarkable about Log4Shell, however, is not its ubiquity, but the achievements it has spurred. Following its discovery, businesses and government agencies have been forced to re-examine how which they use and secure open source software created and maintained largely by unpaid volunteers, not commercial vendors.What has also emerged is that many organizations are simply unaware of the amount of open source used in their software,” the report said.
The researchers analyzed the percentage of audited Java codebases and found that 15% “contained a vulnerable Log4j component”. Although Mackey acknowledged that the amount of Java applications has changed and log data has improved, he said 15% was lower than he had expected.
“My crystal ball says we’ll talk about it next year because that’s actually one of the big problems that we see year after year is that people don’t necessarily do a good job of fix vulnerabilities that have been around for a few years,” he said.
The differences between commercial and open source software hampers companies when it comes to patching. The report notes that business fixes “usually require the involvement of a procurement department, as well as reviewing standards as part of a vendor risk management program.” On the other hand, “open source may simply have been downloaded and used at the discretion of the developer”.
Part of this management extends to security after a merger or acquisition. Mackey said one of the biggest challenges buyers face is the lack of visibility and skills to assess exactly what they are buying. It looks like 2021 has been a big year for mergers and acquisitions.
“The growth in the number of codebases audited – 64% more than last year – reflects the significant increase in M&A transactions throughout 2021,” the report said.
Based on the statistics, Mackey said it’s extremely difficult for companies not to use open source.
“I would say it’s almost impossible,” he said. “They should also not use companies like Amazon, Microsoft or Google because they all use open source. That’s what powers their clouds. So that’s life today.”
While there is work to be done to minimize the risks of open source, Mackey said Synopsys has seen many improvements over the past year. Companies have better managed license conflicts, the number of vulnerabilities has decreased and the number of applications with very serious flaws has also decreased.
“People recognize that they have to ‘sign up for the program.’ Maybe it’s Biden who’s going to hit them on the head, maybe it’s ‘Oh wait, I don’t want to be the next Colonial Pipeline ‘” Mackey said. “We can’t necessarily say that, but these are good trends. I don’t like to say that open source is bad in any way; it’s just handled differently.”