91% of commercial apps found to have outdated or abandoned OSS components – a Synopsys study
Editor’s brief: Open source software (OSS), whether in finished form, or as components to form part of a software or app, are becoming increasingly popular. Modular code is the way to go, and what easier way then to scour repositories and look for software fragments or modules that you can simply plug into your own custom software? Saves time and money, right? However, convenience is often the bane of cybersecurity. As Synopsys found out, 91% of commercial apps contain outdated or even abandoned OSS components, which can cause serious cybersecurity risks and vulnerabilities, some of which may even be irreparable. New code may need to be written from scratch to replace such abandonware if no alternatives are found, at additional costs. Read more below.
SINGAPORE– Synopsys, Inc. (Nasdaq: SNPS) today released the 2020 Open Source Security and Risk Analysis (OSSRA) report. The report, produced by the Synopsys Cybersecurity Research Center (CyRC), examines the results of more than 1,250 audits of commercial codebases, performed by the Black Duck Audit Services team. The report highlights trends and patterns in open source usage within commercial applications, and provides insights and recommendations to help organisations better manage open source risk from a security, license compliance, and operational perspective.
Almost all (99.9%) of the codebases audited during the last year contain at least one open source component, with open source making up 70% of the code overall, as seen in the 2020 OSSRA report, which reinforces the crucial role that open source plays in today’s software ecosystem. 91% of the codebases included components that were either more than four years out of date or had seen no development activity in the last two years, however this was not the most striking issue.
75% of audited codebases have open source components with known security vulnerabilities, up from 60% last year. This is the most worrisome trend in this year’s report. Equally concerning, nearly half of the codebases had high-risk vulnerabilities (49% vs 40% in the previous 12 months).
“It’s difficult to dismiss the vital role that open source plays in modern software development and deployment, but it’s easy to overlook how it impacts your application risk posture from a security and license compliance perspective,” said Tim Mackey, principal security strategist of the Synopsys Cybersecurity Research Center. “The 2020 OSSRA report highlights how organisations continue to struggle to effectively track and manage their open source risk. Maintaining an accurate inventory of third-party software components, including open source dependencies, and keeping it up to date is a key starting point to address application risk on multiple levels.”
A summary of the most noteworthy open source risk trends identified in the 2020 OSSRA report follows:
- Open source adoption continues to soar. Ninety-nine percent of codebases contain at least some open source, with an average of 445 open source components per codebase — a significant increase from 298 in 2018. Seventy percent of the audited code was identified as open source, a figure that increased from 60% in 2018 and has nearly doubled since 2015 (36%).
- Outdated and “abandoned” open source components are pervasive. Ninety-one percent of codebases contained components that either were more than four years out of date or had no development activity in the past two years. Beyond the increased likelihood that security vulnerabilities exist, the risk of using outdated open source components is that updating them can also introduce unwanted functionality or compatibility issues.
- The use of vulnerable open source components is trending upward again. In 2019, the percentage of codebases containing vulnerable open source components rose to 75% after dropping from 78% to 60% between 2017 and 2018. Similarly, the percentage of codebases containing high-risk vulnerabilities jumped up to 49% in 2019 from 40% in 2018. Fortunately, none of codebases audited in 2019 were impacted by the infamous Heartbleed bug or the Apache Struts vulnerability that haunted Equifax in 2017.
- Open source license conflicts continue to put intellectual property at risk. Despite its reputation for being “free,” open source software is no different from any other software in that its use is governed by a license. Sixty-eight percent of codebases contained some form of open source license conflict, and 33% contained open source components with no identifiable license. The prevalence of license conflicts varied significantly by industry, ranging from a high of 93% (Internet & Mobile Apps) to a relatively low of 59% (Virtual Reality, Gaming, Entertainment, Media).
To learn more, download a copy of the 2020 OSSRA report.