The number of open source components in the code base of proprietary applications continues to grow and, with it, the risk of these applications being compromised by attackers taking advantage of their vulnerabilities, a recent report showed.
Compiled after examining the results of anonymized data from more than 1,100 commercial codebases audited in 2017 by the Black Duck On-Demand audit services group, the report found that:
- 96 percent of the applications analyzed contain open source components, with an average of 257 components per application, and this
- The average percentage of open source in the codebases of analyzed applications increased from 36% last year to 57%, suggesting that a large number of applications now contain much more open source code than proprietary code.
“Today, the use of open source is ubiquitous in all industries and is used by organizations of all sizes. The reasons are simple: open source reduces development costs, speeds time to market and accelerates innovation and developer productivity, ”noted analysts from the Synopsys Center for Open Source Research & Innovation (COSRI).
Vulnerabilities and their exploits are regularly disclosed through various online sources, such as the National Vulnerability Database, mailing lists and project home pages. With over 80% of all cyber attacks occurring at the application level, remedying known vulnerabilities in business and internal applications should be of extreme importance to businesses and other organizations.
Analysts found that 78% of the code bases examined contained at least one vulnerability, with an average of 64 vulnerabilities per code base.
Open source and IoT
Interestingly, IoT applications contain a lot of open source components.
“Of the IoT applications analyzed, on average 77% of the code base was made up of open source components, with an average of 677 vulnerabilities per application,” analysts said.
“The numbers clearly show that any organization planning to use IoT technology needs to look at the software ecosystem it uses to deliver device functionality and factor open source identification and management into its program. overall security. In addition to reviewing custom source code for vulnerabilities, companies should ensure that open source code used in the Internet of Things does not introduce hidden security vulnerabilities.
Open source and security
Open source is no more and no less secure than custom code, analysts noted, but certain characteristics of open source make vulnerabilities in popular components very attractive to attackers.
The main one is that, unlike commercial software, where updates are automatically sent to users, open source has a supporting extraction model, which means that users are responsible for tracking vulnerabilities, fixes and updates for the open source they are using.
“Open source can enter codebases in a number of ways, not only through third-party vendors and external development teams, but also through internal developers. If an organization is not aware of all the open sources it uses, it cannot defend itself against common attacks targeting known vulnerabilities in these components, and it exposes itself to the risk of license compliance ”, analysts added.
Over 54% of vulnerabilities found by auditors in code bases are considered high-risk vulnerabilities, that is, they are easily exploitable. Additionally, 17% of the code bases contained a high-profile “named” vulnerability such as Heartbleed, Logjam, Freak, Drown, and Poodle.
4% of audited code bases still contained Heartbleed, 4 years after its disclosure. 8% of them contained Apache Struts, and of these, 33% still contained the Struts vulnerability that resulted in the Equifax breach.
“The debate on whether to use open source is moot. Today, most application code is clearly open source, ”analysts noted and added that as the codebase landscape changes, an organization’s application security program must evolve. to continue to be effective.