Organizations, regardless of industry, need to do a better job of keeping components open-source given their critical nature in software, according to this year’s risk analysis report from cybersecurity firm Synopsys. .
Open source software is now the basis for the vast majority of applications in all industries. But many of these industries struggle to manage the risks associated with open source.
Synopsys released the 2021 Open Source Security and Risk Analysis (OSSRA) report on April 13. The report examines the results of open source audits, including usage trends and best practices in business applications.
Researchers analyzed over 1,500 commercial code bases and found that open source security, license compliance, and maintenance issues are pervasive across all sectors of industry. The report highlights trends in the use of open source in business applications and provides information to help business and open source developers better understand the interconnected software ecosystem.
Consider that all audited companies in the marketing technology industry had open source in their code bases. These include the major software platforms used for lead generation, CRM, and social media. Ninety-five percent of these code bases contained open source vulnerabilities.
“That over 90% of code bases were using open source without any development activity over the past two years is not surprising,” said Tim Mackey, senior security strategist at the Synopsys Cybersecurity Research Center.
Risk factors are widening
The Synopsys report details the pervasive risks posed by unmanaged open source code. These risks range from security vulnerabilities to obsolete or discontinued components, to license compliance issues.
“Unlike commercial software, where vendors can pass information to their users, open source relies on community engagement to thrive. When an open source component is adopted into a commercial offering without this commitment, the vitality of the project can easily decline, ”explained Mackey.
Orphan projects are not a new problem. When they do arise, resolving security issues becomes all the more difficult. The solution is simple: invest in supporting the projects you depend on for your success, he added.
The open source risk trends identified in the OSSRA 2021 report reveal that obsolete open source components in commercial software are the norm. 85% of code bases contained open source dependencies that were obsolete for more than four years.
One of the most important lessons from this year’s report has been the predominant growth of orphaned open source code, according to Fred Bals, senior researcher, Synopsys Cybersecurity Research Center.
“An alarming 91% of the code bases we audited contained open source that had no development activity for the past two years, which means no code improvements and no security fixes.” , he told LinuxInsider. Orphaned open source is a significant and growing problem.
Unlike abandoned projects, obsolete open source components have active developer communities that release updates and security fixes that are not enforced by their downstream commercial consumers, according to Mackey.
Beyond the obvious security implications of neglecting to apply patches, the use of outdated open source components can contribute to heavy technical debt. This debt comes in the form of functionality and compatibility issues associated with future updates.
The prevalence of open source vulnerabilities is heading in the wrong direction, researchers say. In 2020, the percentage of code bases containing vulnerable open source components increased to 84%, an increase of 9% from 2019.
Likewise, the percentage of code bases containing high-risk vulnerabilities has increased from 49% to 60%. Several of the top 10 open source vulnerabilities found in codebases in 2019 reappeared in the 2020 audits with significant percentage increases.
Over 90% of the audited code bases contained open source components with license conflicts, custom licenses, or no license at all. Another factor is that 65% of code bases audited in 2020 contained open source software licensing conflicts, typically involving the GNU General Public License, according to the report.
At least 26% of the code bases were using unlicensed open source or a custom license. The three issues often need to be assessed in the event of potential intellectual property infringement and other legal issues, especially in the context of merger and acquisition transactions, the researchers noted.
All of the companies audited in the Marketing Technology category – which include lead generation, CRM, and social media – contained open source code in their code bases. Almost all (95%) had open source vulnerabilities.
Researchers found comparable figures in audited databases from the retail, financial services and healthcare industries, according to Bals.
In healthcare, 98 percent of code bases contained open source. In these code bases, 67% contained vulnerabilities.
In the financial services / fintech industry, 97% of code bases contained open source software. Over 60% of these code bases contained vulnerabilities.
In the retail and e-commerce industry, 92% of code bases contained open source code and 71% of code bases contained vulnerabilities.
In 2020, the percentage of code bases containing high-risk vulnerabilities increased from 49% to 60%. What was more troubling was that several of the top 10 open source vulnerabilities found in 2019 codebases reappeared in the 2020 audits, all with significant percentage increases, Bals observed.
“When you look at industry outages, there is an indication that the increase in vulnerabilities may be at least in part due to the pandemic and the significant increase in the use of marketing, sales and marketing technologies. detail and customer relationship, ”he explained.
Open source is generally safe, Bals insisted. It is the unmanaged use of open source that creates the problem.
“The developers and the companies behind them need to treat the open source they use the same way they do the code they write themselves. This means creating and maintaining a complete inventory of the open source used by their software, getting accurate information about the severity and exploitability of the vulnerability, and having a clear direction on how to fix affected open source ”, did he declare.
It wasn’t that long ago that commercial vendors called open source “snake oil” and even a disease, Bals noted. Many commercial companies have even banned their developers from using open source.
Fortunately, those days are over. You would be hard pressed today to find an application that does not depend on open source, he replied.
“But open source management has yet to catch up with the use of open source. Many development teams still use manual processes like spreadsheets to track open source. There is now far too much open source to follow without automating the process, ”he added.