Organizations, regardless of industry, must do a better job maintaining open source components given their critical nature in software, according to this year’s risk analysis report by cybersecurity firm Synopsys.
Open-source software is now the foundation for the vast majority of applications across all industries. However, many of those industries are struggling to manage open-source risk.
Synopsys released the 2021 Open Source Security and Risk Analysis (OSSRA) report on April 13. The report examines open-source audit results, including usage trends and best practices across commercial applications.
Researchers analyzed more than 1,500 commercial codebases and found that open-source security, license compliance, and maintenance issues are pervasive in every industry sector. The report highlights trends in open-source usage within commercial applications and provides insights to help commercial and open-source developers better understand the interconnected software ecosystem.
Consider that all the companies audited in the marketing tech industry sector had open source in their codebases. These include major software platforms used for lead generation, CRM, and social media. Ninety-five percent of those codebases contained open-source vulnerabilities.
“That more than 90 percent of the codebases were using open source with no development activity in the past two years is not surprising,” said Tim Mackey, principal security strategist with the Synopsys Cybersecurity Research Center.
Risk Factors Widen
The Synopsys report details the pervasive risks posed by unmanaged open-source code. These risks range from security vulnerabilities to outdated or abandoned components to license compliance issues.
“Unlike commercial software, where vendors can push information to their users, open source relies on community engagement to thrive. When an open source component is adopted into a commercial offering without that engagement, project vitality can easily wane,” Mackey explained.
Orphaned projects are not a new problem. When they occur, addressing security issues becomes that much more difficult. The solution is a simple one — invest in supporting those projects you depend upon for your success, he added.
Open-source risk trends identified in the 2021 OSSRA report reveal that outdated open-source components in commercial software are the norm. A hefty 85 percent of the codebases contained open-source dependencies that were more than four years out-of-date.
One of the most significant takeaways from this year’s report was the predominant growth of orphaned open-source code, according to Fred Bals, senior researcher at Synopsys Cybersecurity Research Center.
“An alarming 91 percent of the codebases we audited contained open source that had no development activity in the last two years — meaning no code improvements and no security fixes,” he told LinuxInsider. Orphaned open source is a significant and growing problem.”
Unlike abandoned projects, outdated open-source components have active developer communities that publish updates and security patches that are not being applied by their downstream commercial consumers, according to Mackey.
Beyond the obvious security implications of neglecting to apply patches, the use of outdated open-source components can contribute to unwieldy technical debt. That debt comes in the form of functionality and compatibility issues associated with future updates.
The prevalence of open-source vulnerabilities is trending in the wrong direction, according to researchers. In 2020, the percentage of codebases containing vulnerable open-source components rose to 84 percent, a nine percent increase from 2019.
Similarly, the percentage of codebases containing high-risk vulnerabilities jumped from 49 percent to 60 percent. Several of the top 10 open-source vulnerabilities found in codebases in 2019 reappeared in the 2020 audits with significant percentage increases.
Over 90 percent of the audited codebases contained open-source components with license conflicts, customized licenses, or no license at all. Another factor is that 65 percent of the codebases audited in 2020 contained open-source software license conflicts, typically involving the GNU General Public License, according to the report.
At least 26 percent of the codebases were using open source with no license or a customized license. All three issues often need to be evaluated for potential intellectual property infringement and other legal concerns, especially in the context of merger and acquisition transactions, researchers noted.
All of the companies audited in the marketing tech category — which includes lead-generation, CRM, and social media — contained open source in their codebases. Almost all of them (95 percent) had open-source vulnerabilities.
Researchers found comparable figures in the audited databases of retail, financial services, and healthcare sectors, according to Bals.
In the healthcare sector, 98 percent of the codebases contained open source. Within those codebases, 67 percent contained vulnerabilities.
In the financial services/fintech sector, 97 percent of the codebases contained open source. Over 60 percent of those codebases contained vulnerabilities.
In the retail and e-commerce sector, 92 percent of codebases contained open source, and 71 percent of the codebases contained vulnerabilities.
In 2020 the percentage of codebases containing high-risk vulnerabilities jumped from 49 to 60 percent. What was more disturbing is that several of the top 10 open source vulnerabilities found in 2019 codebases reappeared in the 2020 audits, all with significant percentage increases, observed Bals.
“When you look at the industry breakdowns, there is an indication that the increase in vulnerabilities may be at least partly due to the pandemic and the significant increase in the use of marketing, retail, and customer relationship technologies,” he explained.
Open source is by and large safe, Bals insisted. It is the unmanaged use of open source that creates the issue.
“Developers and the businesses behind them need to treat the open source they use in the same way as the code they write themselves. That means creating and maintaining a comprehensive inventory of the open source their software uses, getting accurate information on vulnerability severity and exploitability, and having a clear direction on how to patch the affected open source,” he said.
Not too long ago, commercial vendors referred to open source as “snake oil” and even as a disease, noted Bals. Many commercial companies even banned their developers from using open source.
Happily, those days are over. You would be hard-pressed today to find an application that does not depend on open source, he countered.
“But open source management has not yet caught up with open source use. Many development teams are still using manual processes like spreadsheets to track open source. There is now much too much open source to track without automating the process,” he added.