Black Duck Software released its 2017 Open Source Security and Risk Analysis on Wednesday, detailing significant cross-industry risks related to open source vulnerabilities and licensing compliance issues.
Black Duck audited over 1,071 open-source apps for the study last year. There are widespread weaknesses in managing open source security vulnerability risks across key industries, audits show.
According to the Black Duck report, open source security vulnerabilities pose the highest risk to e-commerce and fintech.
The use of open source is ubiquitous in the world. An estimated 80-90% of the code in software applications today is open source, noted Black Duck CEO Lou Shipley.
Open source reduces development costs, accelerates innovation and speeds time to market. However, there is a disturbing level of inefficiency in managing the risks of open source security vulnerabilities, he said.
“On the security side, 96% of applications use open source,” noted Mike Pittenger, vice president of security strategy at Black Duck Software.
“The other big change we’re seeing is more open source being built into commercial software,” he told LinuxInsider.
The results of the open source audit should be alarming for security managers. The application layer is the main target of hackers. So open source exploits are the biggest application security risk that most companies have, Shipley said.
Understand the report
The title of the report, “2017 Open Source Security and Risk Analysis,” might be a little misleading. This is not an isolated look at open source software. Rather, it is an integrated assessment of open source code that coexists with proprietary code in software applications.
“The report deals exclusively with commercial products,” Pittenger said. “We think this skews the results a bit, in that it’s a lagging indicator of how open source is being used. In some cases, the software was developed three, five or ten years ago.
The report provides an in-depth look at the state of open source security, compliance, and code quality risk in commercial software. It examines the results of anonymized data from over 1,000 business applications audited in 2016.
Black Duck’s previous open source vulnerability report was based on audits involving only a few hundred commercial applications, compared to the 1,071 software applications audited for the current study.
“The second round of audits shows an improvement in how open source is managed. Last year, the age of vulnerabilities was over five years on average. This year, that vulnerability age factor is dropped to four years. Still, that’s a pretty big improvement over last year,” Pittenger said.
Through its research, Black Duch aims to help development teams better understand the security and open source licensing risk landscape. Its report includes recommendations to help organizations reduce their security and legal risks.
“There is an increased awareness. More and more people are realizing that they need to start tracking vulnerabilities and what’s in their software,” Pittenger said.
Black Duck performs hundreds of open source code audits each year that target M&A transactions. Its Center for Open Source Research and Innovation (COSRI) has revealed both high levels of open source usage and significant risks from open source security vulnerabilities.
According to the report, 96% of analyzed commercial applications contained open source code and more than 60% contained open source security vulnerabilities.
All targeted software categories were found to be vulnerable to security vulnerabilities.
For example, financial industry application audit results showed an average of 52 open source vulnerabilities per application, and 60% of applications had high-risk vulnerabilities.
The audit found even more serious security risks for the retail and e-commerce sector, which had the highest proportion of applications with high-risk open source vulnerabilities. Eighty-three percent of audited applications contained high-risk vulnerabilities.
The status of open source software licenses could be even more troubling – research has found widespread disputes. More than 85% of audited applications had open source components with licensing issues.
Black Duck’s report should serve as a wake-up call, given the widespread use of open source code. Audits show that very few developers are doing an adequate job of detecting, patching and monitoring open source components and vulnerabilities in their applications, observed Chris Fearon, director of Black Duck’s open source security research group, the security research arm of COSRI.
“The results of the COSRI analysis clearly demonstrate that organizations in all industries still have a long way to go before effectively managing their open source,” Fearon said.
Using open source software is an essential part of application development. Some 96% of the applications analyzed used open source code. The average app included 147 unique open source components.
On average, vulnerabilities identified in audited applications had been publicly known for more than four years, according to the report. Many commonly used infrastructure components contained high-risk vulnerabilities.
Even Linux Kernel, PHP, MS .Net Framework and Ruby on Rails versions had vulnerabilities. On average, the applications contained 27 vulnerable open source components.
Many of the points highlighted by Black Duck’s report are long-standing issues that have not registered a significant negative impact on open source, observed Charles King, principal analyst at Expert.
“The findings are certainly concerning, both in the weaknesses they point to in open source development and in how these vulnerabilities are and can be exploited by various malicious actors,” he told LinuxInsider.
With security threats growing in size and complexity, open source developers must assess how well they are served by traditional methodologies, King added.
Illegal use of code
Illegal use of open source software is widespread, according to the report, which can be attributed to the misguided notion that anything open source can be used without meeting licensing requirements.
Fifty-three percent of apps analyzed had “unknown” licenses, according to the report. In other words, no one had obtained permission from the creator of the code to use, modify or share the software.
The applications audited contained an average of 147 open source components. According to the report, it would be impossible to track associated license obligations and identify conflicts without automated processes in place.
About 85% of audited applications contained components with conflicts, most often violations of the General Public License or GPL. Three quarters of the applications contained components under the GPL family of licenses. Only 45% of them were in compliance.
Open source has become essential in the development of applications, according to a recent Forest Research report referenced by Black Duck.
Custom code accounted for only 10-20% of applications, according to the Forrester study.
Companies ignore security
According to the Black Duck report, software developers and IT staff who use open source code are not taking the necessary steps to protect applications against vulnerabilities. Even when they use internal security programs and deploy security testing tools such as static analysis and dynamic analysis, they miss vulnerable code.
These tools are useful in identifying common coding errors that can lead to security issues, but the same tools have proven ineffective in identifying vulnerabilities that enter code through open source components, the report warns.
For example, more than 4% of tested applications had the Poodle vulnerability. Over 4% had Freak and over 3.5% had Drown. More than 1.5% of codebases still had the Heartbleed vulnerability — more than two years after it was publicly disclosed, according to Black Duck audits.
Some 3,623 new open-source component vulnerabilities were reported last year, an average of nearly 10 vulnerabilities per day, a 10% increase from the previous year.
This makes the need for more effective open source security and management more critical than ever. It also makes more essential the need for greater visibility and control over the open source being used. Detecting and remediating security vulnerabilities should be a high priority, the report concludes.
The Black Duck audit report recommends that organizations adopt the following open source management practices:
- make a complete inventory of open source software;
- map open source to known security vulnerabilities;
- identify licensing and quality risks;
- enforce open source risk policies; and
- monitor new security threats.