Outdated or abandoned open source components are persistent in practically all commercial software, putting enterprise and consumer applications at risk from security issues, license compliance violations, and operational threats, according to the Synopsys 2020 Open Source Security and Risk Analysis Report released Tuesday.
Synopsys researchers analyzed more than 1,250 commercial code bases. The Synopsys Cybersecurity Research Center (CyRC) examined the code base audits performed by the Black Duck Audit Services team.
The report highlights trends and patterns in open source usage within commercial applications. It provides insights and recommendations to help organizations better manage their software risk.
The 2020 OSSRA Report reaffirms the critical role that open source plays in today’s software ecosystem.
Effectively 99 percent of the code bases audited over the past year contain at least one open source component, Synopsys found. Open source comprised 70 percent of the code overall.
The report underscores the continued widespread use of aging or abandoned open source components that either were more than four years out of date or had seen no development activity in the last two years.
“It’s difficult to dismiss the vital role that open source plays in modern software development and deployment, but it’s easy to overlook how it impacts your application risk posture from a security and license compliance perspective,” observed Tim Mackey, principal security strategist of the Synopsys Cybersecurity Research Center.
The 2020 OSSRA report highlights how organizations struggle to track and manage their open source risk effectively, he told LinuxInsider. That struggle involves maintaining an accurate inventory of third-party software components and open source dependencies.
“Keeping it up to date is a key starting point to address application risk on multiple levels,” he said.
The most concerning trend in this year’s analysis is the mounting security risk posed by unmanaged open source, according to Synopsys. The code audits revealed that 75 percent of code bases contain open source components with known security vulnerabilities.
That number is up from 60 percent in last year’s report. Similarly, 49 percent of the code bases contained high-risk vulnerabilities compared to 40 percent.
The increasing rate of open source adoption adds to the alarm concerning unmanaged open source code found in commercial software.
Ninety-nine percent of code bases contain at least some open source, with an average of 445 open source components per code base, according to this year’s Syopsys report. That represents a significant increase from 298 open source components found in 2018. Seventy percent of the audited code was identified as open source, a figure that increased from 60 percent in 2018 and has nearly doubled since 2015 when it stood at 36 percent.
This year’s report reveals some unexpected developments when compared to last year’s analysis, indicating both good and bad results, according to Mackey.
“We are seeing shifts in overall security trends, while at the same time seeing evidence that governance processes are not keeping up with increased usage,” he said.
On the good news side, this is the first year the audit did not see the HeartBleed vulnerability in underlying data. This suggests that while a long tail still exists, either refactoring efforts or simply greater awareness of high impact vulnerabilities are bearing fruit.
On the bad news side, the increase in unpatched vulnerabilities with increased open source usage speaks to a reliance on manual processes. This occurs at a point in time when vulnerability disclosures have increased due to additional reporting authorities, Mackey explained.
The net result is that businesses without automated solutions to filter out CVEs that could not apply to them are forced to test for disclosures that cannot possibly be exploited due to application or system composition.
A summary of the most noteworthy open source risk trends found through the code audits found the following:
- Ninety-one percent of code bases contained components that either were more than four years out of date or had no development activity in the past two years.
- Beyond the increased likelihood that security vulnerabilities exist, the risk of using outdated open source components is that updating them also can introduce unwanted functionality or compatibility issues.
- The use of vulnerable open source components is trending upward again. In 2019, the percentage of code bases containing vulnerable open source components rose to 75 percent after dropping from 78 percent to 60 percent between 2017 and 2018.
- Similarly, the percentage of code bases containing high-risk vulnerabilities jumped up to 49 percent in 2019 from 40 percent in 2018.
- None of code bases audited in 2019 had been impacted by the infamous Heartbleed bug or the Apache Struts vulnerability that haunted Equifax in 2017.
Threatens Intellectual Property, Licensing
Heavy ongoing use of unmanaged open source components also puts intellectual property at risk, according to the report. Despite its reputation for being free, open source software, just like commercial code, is governed by a license.
The researchers found that 68 percent of code bases contained some form of open source license conflict. Thirty-three percent contained open source components with no identifiable license.
Security vulnerabilities are a major concern, the report concludes. Nearly half the code bases contained high-risk vulnerabilities.
Some 73 percent of those vulnerabilities exposed the code base owners to possible legal problems. Open source components have licenses that appear to conflict with the overall license of the code base or have no license at all.
The prevalence of license conflicts varied significantly by industry, according to the report.
Those conflicts ranged from a high of 93 percent for Internet and mobile apps to a low of 59 percent for virtual reality, gaming, entertainment and media apps.
About the Report
This is the fifth edition of Synopsys’ Open Source Security and Risk Analysis Report. It provides an in-depth snapshot of the current state of open source security, compliance, and code quality risk in commercial software.
Its results are based on the anonymized data reviewed by Synopsys’ open source audit services teams in 2019. For the purposes of this code audit, Synopsys defined a code base as the source code and libraries that underlie an application, service or library.
Researchers defined managed software as the software components’ source, age, licensing and version information identified and tracked. Researchers also looked at applied or missing updates and security patches.
Organizations need to do a much better job maintaining open source components, the 2020 OSSRA report concludes. That code is a crucial part of the software they build or use.
“We continue to recommend businesses invest in automation to create an accurate inventory, but the real story is one of process,” said Mackey. “Development, enterprise IT and corporate legal teams need to define a process for open source usage.”
It no longer is advisable to download an open source component, package or solution and simply use it. If that download is not properly managed, then it exposes the business to the same level of governance challenge as any commercial software might, he added.
The key difference is that there is no commercial entity for lawyers to lean on for a fix. That patch will need to come either from the open source community supporting the component, or from within the local development team, which ideally would submit its fix to the community.
“Either way, if community engagement is not part of the process, then it becomes that much harder to remain in a patch-compliant state,” said Mackey.
Worse or Better Security?
The OSSRA report does not look at the overall security of open source software, according to Mackey. Rather, it looks at how well governed it is when used in a commercial setting.
“That being said, we do perform a deeper analysis on a few prominent vulnerabilities found within the dataset to better understand what the core risk is,” he clarified.
Open source software security presents new challenges. It is very common, almost universal, that proprietary software will include open source software, according to Thomas Hatch, CTO of SaltStack.
“It is also critical to remember that the version of the open source software included with the proprietary software may not be reliably disclosed, or disclosed at all. Tracking this becomes nearly impossible,” he told LinuxInsider.
The original argument for open source software being more secure was that many eyes could bring more fixes. However, that assertion did not seem to account for the modern sprawl of small open source projects, Hatch observed.
“Today there is so much open source code that it is increasingly difficult to audit.I would say that the state of security in open source software is worse this year than last,” he said.
While major projects are improving, the growth of the overall landscape has far outpaced tracking capabilities. This report is very useful, but it would be even more powerful as an ongoing discovery project, Hatch said.
Useful Not Futile
Issuing this type of report year after year serves a real corrective purpose, assured Mackey.
When the company started the OSSRA report five years ago, there was a real lack of awareness among business leaders as to the impact of open source activities on their overall operations, he explained.
That was the backdrop to a number of high-profile exploitations of open source vulnerabilities. Five years later, the complexity of regulatory requirements has increased along with the growth of open source.
The OSSRA report is based on commercial applications acquired in mergers and acquisitions. The underlying data offers a perspective on open source that cannot be obtained from a simple survey of development teams or other lightweight data gathering, said Mackey.
DevOps Security Needs
The Synopsys 2020 OSSRA report provides a good indicator of high-level trends, according to Ali Golshan, CTO of StackRox. However, there should be a lot more that companies consider in their decision making, particularly related to open source security.
“Issues of risk associated with open source have become increasingly dynamic as the adoption of DevOps practices in conjunction with open source solutions has led to the more widespread deployment of cloud-native technologies,” he told LinuxInsider.
The overall attack surface is shifting substantially in the cloud-native space — from traditional exploits and runtime attacks to a focus on the larger attack surface exposed throughout the build process, Golshan noted.
Using cloud-native technologies alongside open source components can be advantageous from an operational perspective while challenging from a security standpoint, he cautioned. “Reports like Synopsys’ should be considered a good reminder to look more closely at how to secure the build process.”