Most open source software has security vulnerabilities
Audit highlights flaws in security across wide range of open source applications
An audit of more than a thousand applications containing open source code has found that 60% of them have some kind of security vulnerability.
Open source security firm Black Duck analysed 1,017 applications for its 2017 Open Source Security and Risk Analysis (OSSRA), and found that 96% of the apps contained open source code and more than 60% of the apps contained open source security vulnerabilities.
The survey also looked at applications used in the financial sector, discovering that, on average, they contained 52 open source vulnerabilities per application, with 60% of the applications containing high risk vulnerabilities. The retail and e-commerce industry had the highest proportion of applications with high-risk open source vulnerabilities, with 83% of audited applications containing high-risk vulnerabilities.
Black Duck CEO Lou Shipley called the findings an "eye opener" for security professionals, because the application layer is a primary target for hackers. "Exploits of open source vulnerabilities are the biggest application security risk that most companies have," he said.
Chris Fearon, director at Black Duck's open source security research group, COSRI's security research arm, said that while many are using open source, very few are doing an adequate job detecting, remediating and monitoring open source vulnerabilities in their applications.
"The COSRI analysis of the audits clearly demonstrates that organisations in every industry have a long way to go before they are effective in managing their open source," he said.
The report also showed that open source licence conflicts were also found to be widespread in the audited applications, with 85% of audited applications containing components with license conflicts. The most common challenges were general public license (GPL) GPL violations, with 75% of applications containing components under the GPL family of licenses, but only 45% of those applications in compliance with GPL obligations.
"Open source use is ubiquitous worldwide and recent research reports show that between 80% and 90% of the code in today's apps is open source. This isn't surprising because open source is valuable in lowering dev costs, accelerating innovation and speeding time to market. Our audits confirmed the universal use, but also revealed troubling levels of ineffectiveness in addressing risks related to open source security vulnerabilities and license compliance challenges," added Shipley.
What you need to know about migrating to SAP S/4HANA
Factors to assess how and when to begin migrationDownload now
Your enterprise cloud solutions guide
Infrastructure designed to meet your company's IT needs for next-generation cloud applicationsDownload now
Testing for compliance just became easier
How you can use technology to ensure compliance in your organisationDownload now
Best practices for implementing security awareness training
How to develop a security awareness programme that will actually change behaviourDownload now