Synopsys, Inc. has released its 2021 Open Source Security and Risk Analysis (OSSRA) report, which examines the result of more than 1,500 audits of commercial codebases. Produced by the Synopsys Cybersecurity Research Center (CyRC) and performed by the Black Duck® Audit Services team, the report highlights trends in open source usage within commercial applications, while simultaneously providing insights to help commercial and open source developers better understand the interconnected software ecosystem they are part of. It also presents the widespread risks posed by unmanaged open source, including security vulnerabilities, outdated or abandoned components, and license compliance issues.
Open source software provides the foundation for the vast majority of applications across all industries. Unfortunately, these industries, to varying degrees, are struggling to manage the associated risk. As a matter of fact, the study unveiled that 100% of the companies audited in the marketing tech industry sector, including lead generation CRM, and social media, contained open source in their codebases while 95% of the marketing tech codebases contained open source vulnerabilities. On top of this, a staggering 67% of codebases within the healthcare sector, 60% of codebases within the financial services/fintech sector and 71% of codebases within the retail and e-commerce sector also contained vulnerabilities within their open source.
More alarmingly, the report underscores the widespread use of abandoned open source components: 91% of the codebases contained open source dependencies that had not been developed for the last two years; this means no code improvements and no security fixes. According to Tim Mackey principal security strategist with the Synopsys Cybersecurity Research Center this, however, is “not surprising”. He claims that, “unlike commercial software, where vendors can push information to their users, open source relies on community engagement to thrive.” Disregarded projects aren’t a new problem. The problem lies with addressing the security issues within these unattended projects, as they become increasingly harder to deal with. Even so, Mackey believes that the solution is quite simple – “invest in supporting those projects you depend upon for your success.”
A new norm: Outdated open source components in commercial software
85% of the codebases contained open source dependencies that were more than four years out-of-date. While these outdated open source components have active developer communities who publish updates and security patches, these are not being applied by their downstream commercial consumers. As a result, the outdated components can lead to unwieldy technical debt in the form of functionality and compatibility issues that can interfere with future updates.
Open source vulnerabilities are becoming increasingly pervasive
In 2020, the percentage of codebases containing vulnerable open source components saw an astounding 9% increase from the year before. Correspondingly, the percentage of codebases containing high-risk vulnerabilities rose from 49% to 60%. In fact, several of the top 10 open source vulnerabilities that were found in codebases in 2019 reappeared in the 2020 audits, although sporting significant percentage increases.
Open source and licensing
In 2020 65% of the codebases audited contained open source software license conflicts. These typically involved the GNU General Public License. Surprisingly, 26% of these codebases were using open source with either no license or a customized license. This could lead to possible intellectual property infringement along with other legal concerns. Therefore, especially in the context of merger and acquisition transactions, all three of these issues need to be thoroughly evaluated to avoid potential conflict.