Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Thursday, 30 June, 2022
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2021
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2021
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

Synopsys Study reveals increase in Vulnerable, Outdated, and Abandoned Open Source Components in Commercial Software

Open source security, license compliance, and maintenance issues are prevailing in every industry sector

by SaskiaEpr
April 13, 2021
in Featured, News, Press Releases, Research, Security News
Latest Version Of Synopsys’ BSIMM10 Study Highlights The Impact Of DevOps On Software Security.
Share on FacebookShare on Twitter

Synopsys, Inc. has released its 2021 Open Source Security and Risk Analysis (OSSRA) report, which examines the result of more than 1,500 audits of commercial codebases. Produced by  the Synopsys Cybersecurity Research Center (CyRC) and performed by the Black Duck® Audit Services team, the report highlights trends in open source usage within commercial applications, while simultaneously providing insights to help commercial and open source developers better understand the interconnected software ecosystem they are part of. It also presents the widespread risks posed by unmanaged open source, including security vulnerabilities, outdated or abandoned components, and license compliance issues. 

Open source software provides the foundation for the vast majority of applications across all industries. Unfortunately, these industries, to varying degrees, are struggling to manage the associated risk. As a matter of fact, the study unveiled that 100% of the companies audited in the marketing tech industry sector, including lead generation CRM, and social media, contained open source in their codebases while 95% of the marketing tech codebases contained open source vulnerabilities. On top of this, a staggering 67% of codebases within the healthcare sector, 60% of codebases within the financial services/fintech sector and 71% of codebases within the retail and e-commerce sector also contained vulnerabilities within their open source. 

More alarmingly, the report underscores the widespread use of abandoned open source components: 91% of the codebases contained open source dependencies that had not been developed for the last two years; this means no code improvements and no security fixes. According to Tim Mackey principal security strategist with the Synopsys Cybersecurity Research Center this, however, is “not surprising”. He claims that, “unlike commercial software, where vendors can push information to their users, open source relies on community engagement to thrive.” Disregarded projects aren’t a new problem. The problem lies with addressing the security issues within these unattended projects, as they become increasingly harder to deal with. Even so, Mackey believes that the solution is quite simple – “invest in supporting those projects you depend upon for your success.” 

A new norm: Outdated open source components in commercial software 

85% of the codebases contained open source dependencies that were more than four years out-of-date. While these outdated open source components have active developer communities who publish updates and security patches, these are not being applied by their downstream commercial consumers. As a result, the outdated components can lead to unwieldy technical debt in the form of functionality and compatibility issues that can interfere with future updates. 

Open source vulnerabilities are becoming increasingly pervasive  

In 2020, the percentage of codebases containing vulnerable open source components saw an astounding 9% increase from the year before. Correspondingly, the percentage of codebases containing high-risk vulnerabilities rose from 49% to 60%. In fact, several of the top 10 open source vulnerabilities that were found in codebases in 2019 reappeared in the 2020 audits, although sporting significant percentage increases. 

Open source and licensing 

In 2020 65% of the codebases audited contained open source software license conflicts. These typically involved the GNU General Public License. Surprisingly, 26% of these codebases were using open source with either no license or a customized license. This could lead to possible intellectual property infringement along with other legal concerns. Therefore, especially in the context of merger and acquisition transactions, all three of these issues need to be thoroughly evaluated to avoid potential conflict. 

FacebookTweetLinkedIn
ShareTweetShare
Previous Post

Promising news: users are becoming more savvy to COVID-19 based phishing attacks finds KnowBe4

Next Post

FBI removed web shells from Exchange Servers without consent

Recent News

European Cybersecurity Blogger Awards 2022 Winners Announced

European Cybersecurity Blogger Awards 2022 Winners Announced

June 29, 2022
Phone with white background

The Top Mobile Security Threats of 2022

June 29, 2022
Two computer screens filled with code. Shadowed figure.

Evilnum Hackers Return With New Activity Targeting International Migration Campaigns

June 29, 2022
1 in 6 Enterprise Endpoints exposed to identity risks

Appointment of four new executives ignites Illusive’s international expansion

June 29, 2022

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2021
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information