Most open source software has security vulnerabilities
Audit highlights flaws in security across wide range of open source applications
An audit of more than a thousand applications containing open source code has found that 60% of them have some kind of security vulnerability.
Open source security firm Black Duck analysed 1,017 applications for its 2017 Open Source Security and Risk Analysis (OSSRA), and found that 96% of the apps contained open source code and more than 60% of the apps contained open source security vulnerabilities.
The survey also looked at applications used in the financial sector, discovering that, on average, they contained 52 open source vulnerabilities per application, with 60% of the applications containing high risk vulnerabilities. The retail and e-commerce industry had the highest proportion of applications with high-risk open source vulnerabilities, with 83% of audited applications containing high-risk vulnerabilities.
Black Duck CEO Lou Shipley called the findings an "eye opener" for security professionals, because the application layer is a primary target for hackers. "Exploits of open source vulnerabilities are the biggest application security risk that most companies have," he said.
Chris Fearon, director at Black Duck's open source security research group, COSRI's security research arm, said that while many are using open source, very few are doing an adequate job detecting, remediating and monitoring open source vulnerabilities in their applications.
"The COSRI analysis of the audits clearly demonstrates that organisations in every industry have a long way to go before they are effective in managing their open source," he said.
The report also showed that open source licence conflicts were also found to be widespread in the audited applications, with 85% of audited applications containing components with license conflicts. The most common challenges were general public license (GPL) GPL violations, with 75% of applications containing components under the GPL family of licenses, but only 45% of those applications in compliance with GPL obligations.
"Open source use is ubiquitous worldwide and recent research reports show that between 80% and 90% of the code in today's apps is open source. This isn't surprising because open source is valuable in lowering dev costs, accelerating innovation and speeding time to market. Our audits confirmed the universal use, but also revealed troubling levels of ineffectiveness in addressing risks related to open source security vulnerabilities and license compliance challenges," added Shipley.
The IT Pro guide to Windows 10 migration
Everything you need to know for a successful transitionDownload now
Managing security risk and compliance in a challenging landscape
How key technology partners grow with your organisationDownload now
Software-defined storage for dummies
Control storage costs, eliminate storage bottlenecks and solve storage management challengesDownload now
6 best practices for escaping ransomware
A complete guide to tackling ransomware attacksDownload now