Most open source software has security vulnerabilities

Audit highlights flaws in security across wide range of open source applications

Open Source

An audit of more than a thousand applications containing open source code has found that 60% of them have some kind of security vulnerability.

Open source security firm Black Duck analysed 1,017 applications for its 2017 Open Source Security and Risk Analysis (OSSRA), and found that 96% of the apps contained open source code and more than 60% of the apps contained open source security vulnerabilities. 

The survey also looked at applications used in the financial sector, discovering that, on average, they contained 52 open source vulnerabilities per application, with 60% of the applications containing high risk vulnerabilities. The retail and e-commerce industry had the highest proportion of applications with high-risk open source vulnerabilities, with 83% of audited applications containing high-risk vulnerabilities.

Black Duck CEO Lou Shipley called the findings an "eye opener" for security professionals, because the application layer is a primary target for hackers. "Exploits of open source vulnerabilities are the biggest application security risk that most companies have," he said.

Chris Fearon, director at Black Duck's open source security research group, COSRI's security research arm, said that while many are using open source, very few are doing an adequate job detecting, remediating and monitoring open source vulnerabilities in their applications.

"The COSRI analysis of the audits clearly demonstrates that organisations in every industry have a long way to go before they are effective in managing their open source," he said.

The report also showed that open source licence conflicts were also found to be widespread in the audited applications, with 85% of audited applications containing components with license conflicts. The most common challenges were general public license (GPL) GPL violations, with 75% of applications containing components under the GPL family of licenses, but only 45% of those applications in compliance with GPL obligations.

"Open source use is ubiquitous worldwide and recent research reports show that between 80% and 90% of the code in today's apps is open source. This isn't surprising because open source is valuable in lowering dev costs, accelerating innovation and speeding time to market. Our audits confirmed the universal use, but also revealed troubling levels of ineffectiveness in addressing risks related to open source security vulnerabilities and license compliance challenges," added Shipley.

Featured Resources

The complete guide to changing your phone system provider

Optimise your phone system for better business results

Download now

Simplify cluster security at scale

Centralised secrets management across hybrid, multi-cloud environments

Download now

The endpoint as a key element of your security infrastructure

Threats to endpoints in a world of remote working

Download now

2021 state of IT asset management report

The role of IT asset management for maximising technology investments

Download now

Recommended

What is DevSecOps and why is it important?
Security

What is DevSecOps and why is it important?

30 Oct 2020
Weekly threat roundup: NHS COVID-19 app, Nvidia, and Oracle
Security

Weekly threat roundup: NHS COVID-19 app, Nvidia, and Oracle

30 Oct 2020
The IT Pro Podcast: What COVID-19 can teach us about open data
Data & insights

The IT Pro Podcast: What COVID-19 can teach us about open data

30 Oct 2020
Ryuk behind a third of all ransomware attacks in 2020
Security

Ryuk behind a third of all ransomware attacks in 2020

29 Oct 2020

Most Popular

Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

21 Oct 2020
What is Neuralink?
Technology

What is Neuralink?

24 Oct 2020
Hackers demand ransom from therapy patients after clinic data breach
Security

Hackers demand ransom from therapy patients after clinic data breach

27 Oct 2020