Open source code is everywhere, as are many vulnerabilities



One-third of audited codebases that contain Apache Struts suffer from the same vulnerability that facilitated the Equifax hack a year ago

Open source code is ubiquitous in commercial and in-house software applications, but security management does not follow suit, a recent study found.

Based on an analysis of data from over 1,100 commercial codebases audited in 2017, the authors of the 2018 Open Source Security and Risk Analysis (OSSRA) report from Black Duck by Synopsys found that almost all code bases (96%) contained open source components. This is hardly news (the ratio itself has remained unchanged every year), but a closer look reveals a more intriguing picture.

The percentage of open source components in the code bases of audited applications increased from 36% to 57% between the 2017 and 2018 reports. “Many applications now contain more open source code than proprietary code,” we read in The report. Each codebase contained an average of 257 open source components, a 75% increase from the previous report edition.


Worryingly, vulnerabilities grew over time and also abounded, as 78% of the code bases contained at least one vulnerability, up from 67% in the previous report. The average number of security vulnerabilities found per codebase was 64, an increase of 134%. Most of the bugs (54%) were classified as high risk.

Credit: OSSRA,

Additionally, 17% of the code bases included in the OSSRA report contained at least one well-known vulnerability such as Heartbleed, POODLE, Logjam, FREAK and DROWN – despite the great attention these flaws have received over the past several years. For example, Heartbleed, a bug that affects the open source cryptography library OpenSSL, was found in 4% of the code bases scanned four years after the vulnerability took internet security by storm.

Do you remember the Equifax hack? The attack, which began in May 2017 and was disclosed four months later, was facilitated by a vulnerability in the popular open source software package Apache Struts. The patch had, in fact, been made available two months before the hack. The OSSRA report has now found that a third of the scanned code bases that use Apache Struts in an application contain the same flaw.

Out of nine sectors included in the report, the highest proportions of code bases with high security risks were detected in Internet and software infrastructure applications (67%), Internet and mobile applications (60%) and virtual reality, games, entertainment and media. (50%).

As OSSRA noted, nearly 5,000 open source vulnerabilities were discovered in 2017, bringing their total to nearly 40,000 since 2000. Their number is actually part of a larger trend last year. having recorded a record of vulnerabilities in open source. source and proprietary code combined. The number of reported defects increased from 6,400 in 2016 to more than 14,700 in 2017.



Comments are closed.