Organizations continue to face challenges with managing open source risk, according to a new report published today by published today by Synopsys Cybersecurity Research Center (CyRC).
The annual Open Source Security and Risk Analysis (OSSRA) Report, analyzed the anonymized data of over 1,200 commercial codebases from 2018 and found that 96% contained open source components, with an average of 298 open source components per codebase. The results reflect an increase from the number of codebases in 2017, which was only 257.
In addition, 2018 yielded more open source vulnerabilities disclosed than in years past, with a notable list of more than 16,500 vulnerabilities reported on the National Vulnerability Database (NVD).
While more than 40% of codebases contained at least one high-risk open source vulnerability, the report noted that the use of open source software is not a problem in and of itself. Rather, failing to identify and manage the security and license risk associated with the open source components your organization uses can lead to significant negative business impacts and damage to your brand.
“At the end of the day, all software is vulnerable to attack – without exception – and the nature of open source software is to shine a light on the issues it has, leading to increased visibility of bugs, not an increase in bugs,” said Cody Brocious, hacker and head of hacker education at HackerOne.
“The security risk is significantly diminished by increasing visibility. If you’re not using open source components, you’d be using closed source components – either commercially available or hand-rolled – that have just as high of a likelihood of being vulnerable. Except that you just don't know about the bugs, unlike with open source components.
“There are a multitude of tools which can be used to scan your codebase to determine which open source components (and versions) are in use, and check this against various vulnerability databases. Example tools include Dependency-check from OWASP, and commercial tools such as SourceClear and Snyk.”