Black Duck Software on Wednesday released its 2017 Open Source Security and Risk Analysis, detailing significant cross-industry risks related to open source vulnerabilities and license compliance challenges.
Black Duck conducted audits of more than 1,071 open source applications for the study last year. There are widespread weaknesses in addressing open source security vulnerability risks across key industries, the audits show.
Open source security vulnerabilities pose the highest risk to e-commerce and financial technologies, according to Black Duck’s report.
Open source use is ubiquitous worldwide. An estimated 80 percent to 90 percent of the code in today’s software applications is open source, noted Black Duck CEO Lou Shipley.
Open source lowers dev costs, accelerates innovation, and speeds time to market. However, there is a troubling level of ineffectiveness in addressing risks related to open source security vulnerabilities, he said.
“From the security side, 96 percent of the applications are using open source,” noted Mike Pittenger, vice president for security strategy at Black Duck Software.
“The other big change we see is more open source is bundled into commercial software,” he told LinuxInsider.
The open source audit findings should be alarming to security executives. The application layer is a primary target for hackers. Thus, open source exploits are the biggest application security risk that most companies have, said Shipley.
Understanding the Report
The report’s title, “2017 Open Source Security and Risk Analysis,” may be a bit misleading. It is not an isolated look at open source software. Rather, it is an integrated assessment of open source code that coexists with proprietary code in software applications.
“The report deals exclusively with commercial products,” said Pittenger. “We think it skews the results a little bit, in that it is a lagging indicator of how open source is used. In some cases, the software was developed within three, five or 10 years ago.”
The report provides an in-depth look at the state of open source security, compliance, and code-quality risk in commercial software. It examines findings from the anonymized data of more than 1,000 commercial applications audited in 2016.
Black Duck’s previous open source vulnerability report was based on audits involving only a few hundred commercial applications, compared to the 1,071 software applications audited for the current study.
“The second round of audits shows an improving situation for how open source is handled. The age of the vulnerabilities last year was over five years on average. This year, that age of vulnerability factor came down to four years. Still, that is a pretty big improvement over last year,” Pittenger said.
Through its research, Black Duch aims to help development teams better understand the open source security and license risk landscape. Its report includes recommendations to help organizations lessen their security and legal risks.
“There is increased awareness. More people are aware that they have to start tracking vulnerabilities and what is in their software,” said Pittenger.
Black Duck conducts hundreds of open source code audits annually that target merger and acquisition transactions. Its Center for Open Source Research and Innovation (COSRI) revealed both high levels of open source use and significant risk from open source security vulnerabilities.
Ninety-six percent of the analyzed commercial applications contained open source code, and more than 60 percent contained open source security vulnerabilities, the report shows.
All of the targeted software categories were shown to be vulnerable to security flaws.
For instance, the audit results of applications from the financial industry averaged 52 open source vulnerabilities per application, and 60 percent of the applications were found to have high-risk vulnerabilities.
The audit disclosed even worse security risks for the retail and e-commerce industry, which had the highest proportion of applications with high-risk open source vulnerabilities. Eighty-three percent of audited applications contained high-risk vulnerabilities.
The status of open source software licenses might be even more troubling — the research exposed widespread conflicts. More than 85 percent of the applications audited had open source components with license challenges.
Black Duck’s report should serve as a wake-up call, considering the widespread use of open source code. The audits show that very few developers are doing an adequate job of detecting, remediating and monitoring open source components and vulnerabilities in their applications, observed Chris Fearon, director of Black Duck’s Open Source Security Research Group, COSRI’s security research arm.
“The results of the COSRI analysis clearly demonstrate that organizations in every industry have a long way to go before they are effective managing their open source,” Fearon said.
The use of open source software is an essential part of application development. Some 96 percent of scanned applications used open source code. The average app included 147 unique open source components.
On average, vulnerabilities identified in the audited applications had been publicly known for more than four years, according to the report. Many commonly used infrastructure components contained high-risk vulnerabilities.
Even versions of Linux Kernel, PHP, MS .Net Framework, and Ruby on Rails were found to have vulnerabilities. On average, apps contained 27 vulnerable open source components.
Many of the points Black Duck’s report highlights are longstanding issues that haven’t registered a negative impact on open source to any great degree, observed Charles King, principal analyst at Pund-IT.
“The findings are certainly concerning, both in the weaknesses they point to in open source development and how those vulnerabilities are and can be exploited by various bad actors,” he told LinuxInsider.
With security threats growing in size and complexity, open source developers should consider how well they are being served by traditional methodologies, King added.
Illegal Code Use
The illegal use of open source software is prevalent, according to the report, which may be attributed to the incorrect notion that anything open source can be used without adhering to licensing requirements.
Fifty-three percent of scanned applications had “unknown” licenses, according to the report. In other words, no one had obtained permission from the code creator to use, modify or share the software.
The audited applications contained an average of 147 open source components. Tracking the associated license obligations and spotting conflicts without automated processes in place would be impossible, according to the report.
Some 85 percent of the audited applications contained components with conflicts, most often violations of the General Public License, or GPL. Three-quarters of the applications contained components under the GPL family of licenses. Only 45 percent of them were in compliance.
Open source has become prominent in application development, according to a recent Forrester Research report referenced by Black Duck.
Custom code comprised only 10-20 percent of applications, the Forrester study found.
Companies Ignore Security
Software developers and IT staffers who use open source code fail to take the necessary steps to protect the applications from vulnerabilities, according to the Black Duck report. Even when they use internal security programs and deploy security testing tools such as static analysis and dynamic analysis, they miss vulnerable code.
Those tools are useful at identifying common coding errors that may result in security issues, but the same tools have proven ineffective at identifying vulnerabilities that enter code through open source components, the report warns.
For example, more than 4 percent of the tested applications had the Poodle vulnerability. More than 4 percent had Freak, and more than 3.5 percent had Drown. More than 1.5 percent of the code bases still had the Heartbleed vulnerability — more than two years after it was publicly disclosed, the Black Duck audits found.
Some 3,623 new open source component vulnerabilities were reported last year — almost 10 vulnerabilities per day on average, a 10 percent increase from the previous year.
That makes the need for more effective open source security and management more critical than ever. It also makes the need for greater visibility into and control of the open source in use more essential. Detection and remediation of security vulnerabilities should be a high priority, the report concludes.
The Black Duck audit report recommends that organizations adopt the following open source management practices:
- take a full inventory of open source software;
- map open source to known security vulnerabilities;
- identify license and quality risks;
- enforce open source risk policies; and
- monitor for new security threats.