A new report produced by the Synopsys Cybersecurity Research Center has shown that while organizations are at a point now where they are becoming more aware of open source risks, there is still much to improve on in terms of responsibly managing open source use.
In the Synopsys 2019 Open Source Security and Risk Analysis (OSSRA) report, which examined results from more than 1,200 audits of commercial applications and libraries, many of the open source risk management challenges that plagued organizations in previous years still persist. Of the many codebases scanned, it appeared that more than 60 percent still contained at least one vulnerability, with 40 percent containing at least one high-risk open source vulnerability. And while this may be an improvement from the previous years’ 78 percent, it is still a significant amount nonetheless.
The age of these vulnerabilities indicate that they’ve been there for quite some time. On average, these vulnerabilities are almost 7 years old with 43 percent of them over 10 years old. Clearly patch processes have not been implemented as quickly and diligently as these vulnerabilities are appearing.
Adding to the risk of vulnerabilities is the fact that many are still using “abandoned” components— components that have become inactive or have not been maintained or developed for years. The report revealed that a significant 85 percent of codebases contained components that were more than four years out-of-date or had ceased development in the last two years.
License Conflicts Risks
The OSSRA report also points out how open source license conflicts have their own risks to intellectual property; and unfortunately, 68 percent of codebases were found to contain some form of open source license conflict. This is certainly an improvement to the previous years’ 74 percent , but just like the improvement in the number of codebases found with vulnerabilities, it remains a significant figure. At the same time, 38 percent of codebases were found to have open source components with no identifiable license.
More Work to Be Done
While the improvements from last year’s figures certainly signify a greater awareness of open source risks and the hope for greater improvement, there is still much work to be done to markedly minimize and even eliminate open source risks. If the numbers continue to improve slowly but surely however, we may expect to have a significantly more secure software industry some years down the line. Until then, let’s hope that these vulnerabilities are kept at bay, and that organizations continue to do more to lessen the risks associated with open source use.