Outdated or abandoned open source components are persistent in practically all commercial software, putting enterprise and consumer applications at risk from security issues, license compliance violations, and operational threats, according to the Synopsys 2020 Open Source Security and Risk Analysis Report released Tuesday.
Synopsys researchers analyzed more than 1,250 commercial code bases. The Synopsys Cybersecurity Research Center (CyRC) examined the code base audits performed by the Black Duck Audit Services team.
The report highlights trends and patterns in open-source usage within commercial applications. It provides insights and recommendations to help organizations better manage their software risk.
The 2020 OSSRA Report reaffirms the critical role that open source plays in today’s software ecosystem.
Synopsys found that 99 percent of the code bases audited over the past year contain at least one open-source component. Open source comprised 70 percent of the code overall.
The report underscores the continued widespread use of aging or abandoned open-source components that were more than four years out of date or had not seen development activity in the last two years.
“It’s difficult to dismiss the vital role that open source plays in modern software development and deployment, but it’s easy to overlook how it impacts your application risk posture from a security and license compliance perspective,” observed Tim Mackey, principal security strategist of the Synopsys Cybersecurity Research Center.
The 2020 OSSRA report highlights how organizations struggle to track and manage their open-source risk effectively, he told LinuxInsider. That struggle involves maintaining an accurate inventory of third-party software components and open-source dependencies.
“Keeping it up to date is a key starting point to address application risk on multiple levels,” he said.
Key Findings
The most concerning trend in this year’s analysis is the mounting security risk posed by unmanaged open source, according to Synopsys. The code audits revealed that 75 percent of code bases contain open-source components with known security vulnerabilities.
That number is up from 60 percent in last year’s report. Similarly, 49 percent of the code bases contained high-risk vulnerabilities compared to 40 percent.
The increasing rate of open-source adoption adds to the alarm concerning unmanaged open-source code found in commercial software.
According to this year’s Synopsys report, ninety-nine percent of code bases contain at least some open source, with an average of 445 open source components per code base. That represents a significant increase from 298 open-source components found in 2018. Seventy percent of the audited code was identified as open source, a figure that increased from 60 percent in 2018 and has nearly doubled since 2015, when it stood at 36 percent.
Shifting Times
This year’s report reveals some unexpected developments when compared to last year’s analysis, indicating both good and bad results, according to Mackey.
“We are seeing shifts in overall security trends while at the same time seeing evidence that governance processes are not keeping up with increased usage,” he said.
On the good news side, this is the first year the audit did not see the HeartBleed vulnerability in underlying data. This suggests that while a long tail still exists, either refactoring efforts or simply greater awareness of high-impact vulnerabilities are bearing fruit.
On the bad news side, the increase in unpatched vulnerabilities with increased open-source usage speaks to a reliance on manual processes. This occurs at a point in time when vulnerability disclosures have increased due to additional reporting authorities, Mackey explained.
The net result is that businesses without automated solutions to filter out CVEs that could not apply to them are forced to test for disclosures that cannot possibly be exploited due to application or system composition.
Risk Trends
A summary of the most noteworthy open source risk trends found through the code audits found the following:
- Ninety-one percent of code bases contained components that were more than four years out of date or had not been developed in the past two years.
- Beyond the increased likelihood of security vulnerabilities, the risk of using outdated open-source components is that updating them can also introduce unwanted functionality or compatibility issues.
- The use of vulnerable open-source components is trending upward again. In 2019, the percentage of code bases containing vulnerable open-source components rose to 75 percent after dropping from 78 percent to 60 percent between 2017 and 2018.
- Similarly, the percentage of code bases containing high-risk vulnerabilities jumped up to 49 percent in 2019 from 40 percent in 2018.
- None of the code bases audited in 2019 had been impacted by the infamous Heartbleed bug or the Apache Struts vulnerability that haunted Equifax in 2017.
Threatens Intellectual Property, Licensing
According to the report, heavy ongoing use of unmanaged open-source components also puts intellectual property at risk. Despite its reputation for being free, open-source software, like commercial code, is governed by a license.
The researchers found that 68 percent of code bases contained some form of open-source license conflict, and 33 percent contained open-source components with no identifiable license.
Security vulnerabilities are a major concern, the report concludes. Nearly half the code bases contained high-risk vulnerabilities.
Some 73 percent of those vulnerabilities exposed the code base owners to possible legal problems. Open-source components have licenses that appear to conflict with the overall license of the code base or have no license at all.
The prevalence of license conflicts varied significantly by industry, according to the report.
Those conflicts ranged from a high of 93 percent for Internet and mobile apps to a low of 59 percent for virtual reality, gaming, entertainment, and media apps.
About the Report
This is the fifth edition of Synopsys’ Open Source Security and Risk Analysis Report. It provides an in-depth snapshot of the current state of open-source security, compliance, and code quality risk in commercial software.
Its results are based on the anonymized data reviewed by Synopsys’ open-source audit services teams in 2019. For the purposes of this code audit, Synopsys defined a code base as the source code and libraries that underlie an application, service, or library.
Researchers defined managed software as software whose components’ source, age, licensing, and version information are identified and tracked. They also examined applied or missing updates and security patches.
Report Takeaways
Organizations need to do a much better job maintaining open-source components, the 2020 OSSRA report concludes. That code is a crucial part of the software they build or use.
“We continue to recommend businesses invest in automation to create accurate inventory, but the real story is one of process,” said Mackey. Development, enterprise IT, and corporate legal teams need to define a process for open source usage.”
It is no longer advisable to download an open-source component, package, or solution and simply use it. If that download is not properly managed, it exposes the business to the same level of governance challenge as any commercial software, he added.
The key difference is that there is no commercial entity for lawyers to lean on for a fix. That patch will need to come either from the open-source community supporting the component or from within the local development team, which ideally would submit its fix to the community.
“Either way, if community engagement is not part of the process, then it becomes that much harder to remain in a patch-compliant state,” said Mackey.
Worse or Better Security?
According to Mackey, the OSSRA report does not examine the overall security of open-source software. Rather, it examines how well it is governed when used in a commercial setting.
“That being said, we do perform a deeper analysis on a few prominent vulnerabilities found within the dataset to better understand what the core risk is,” he clarified.
Open-source software security presents new challenges. According to Thomas Hatch, CTO of SaltStack, it is very common, almost universal, for proprietary software to include open-source software.
“It is also critical to remember that the version of the open source software included with the proprietary software may not be reliably disclosed or disclosed at all. Tracking this becomes nearly impossible,” he told LinuxInsider.
The original argument for open-source software being more secure was that many eyes could bring more fixes. However, Hatch observed that that assertion did not seem to account for the modern sprawl of small open-source projects.
“Today, there is so much open source code that it is increasingly difficult to audit. I would say that the state of security in open-source software is worse this year than last,” he said.
While major projects are improving, the growth of the overall landscape has far outpaced tracking capabilities. Hatch said this report is very useful, but it would be even more powerful as an ongoing discovery project.
Useful Not Futile
Issuing this type of report year after year serves a real corrective purpose, assured Mackey.
When the company started the OSSRA report five years ago, there was a real lack of awareness among business leaders as to the impact of open source activities on their overall operations, he explained.
That was the backdrop to a number of high-profile exploitations of open-source vulnerabilities. Five years later, the complexity of regulatory requirements has increased along with the growth of open source.
The OSSRA report is based on commercial applications acquired in mergers and acquisitions. The underlying data offers a perspective on open source that cannot be obtained from a simple survey of development teams or other lightweight data gathering, said Mackey.
DevOps Security Needs
The Synopsys 2020 OSSRA report provides a good indicator of high-level trends, according to Ali Golshan, CTO of StackRox. However, there should be a lot more that companies consider in their decision-making, particularly related to open-source security.
“Issues of risk associated with open source have become increasingly dynamic as the adoption of DevOps practices in conjunction with open source solutions has led to the more widespread deployment of cloud-native technologies,” he told LinuxInsider.
Golshan noted that the overall attack surface is shifting substantially in the cloud-native space from traditional exploits and runtime attacks to a focus on the larger attack surface exposed throughout the build process.
He cautioned that using cloud-native technologies alongside open-source components can be advantageous from an operational perspective while challenging from a security standpoint. “Reports like Synopsys should be considered a good reminder to look more closely at how to secure the build process.”
Loading ...
