Much software is built on a foundation of reusable open source components. But those who use open source often overlook the associated security and licensing risks. Software developers often take code from open source repositories to embed in their company's products and speed up the development process. While the efficiency gains and cost savings of code reuse are clear, enterprises rarely regularly review open source code for potential security and legal issues. Few companies manage their developers' use of open source. As a result, they remain unaware of their open source risks and obligations.
Synopsys, Nasdaq: SNPS , recently released the 2019 Open Source Security and Risk Analysis (OSSRA) report . The report, produced by the Synopsys Cybersecurity Research Center (CyRC), reviewed the audit results of more than 1,200 commercial applications and libraries performed by the Black Duck Audit Services team. The report highlights trends and patterns in open source applications, as well as the prevalence of insecure open source components and license conflicts.
The report shows that enterprises are now facing challenges in managing open source application risks, and these challenges have been evident in the past few years. However, the data also shows that an inflection point has been reached, and many enterprises have improved their ability to manage open source risks due to increased risk awareness and the maturity of commercial software component analysis solutions.
"Open source plays an increasingly important role in modern software development and deployment, but to realize its value, organizations need to understand and manage how it impacts their risk posture from a security and license compliance perspective," said Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Center. "The 2019 OSSRA report provides an overview of the state of open source risk management in commercial applications. The report shows that significant challenges remain, with the vast majority of applications containing open source security vulnerabilities and license conflicts, but also highlights that these challenges are solvable, as the number of open source vulnerabilities and license conflicts decreased compared to last year."
The most notable open source risk trends in the 2019 OSSRA report include:
● Open source adoption has increased significantly. 96% of the code bases audited in 2018 contained open source components, with an average of 298 open source components per code base, compared to 257 in 2017.
● Open source license conflicts can put intellectual property at risk. 68% of code bases contain some form of open source license conflict, and 38% contain open source components without a recognizable license.
● Use of “abandoned” components is common. 85% of codebases contain components that are older than four years or have not been developed in the past two years. If a component is inactive or unmaintained, it means that no one is addressing its potential vulnerabilities.
● Many organizations fail to patch or update their open source components. The average age of vulnerabilities identified in the 2018 Black Duck audit was 6.6 years, slightly higher than in 2017. This suggests that remediation efforts have not improved significantly. 43% of code bases scanned in 2018 contained vulnerabilities that were more than ten years old. The National Vulnerability Database showed 16,500 new vulnerabilities added in 2018, and its explicit patching process needs to expand to accommodate the increase in disclosed vulnerabilities.
● Not all vulnerabilities are equal, but many organizations don’t even address the riskiest ones. More than 40% of code bases contain at least one high-risk open source vulnerability.
The report shows that the use of open source software is not a problem in itself, in fact, it is critical to software innovation. However, failure to proactively identify and manage any security and license risks associated with the use of open source components can be extremely destructive. While risk factors still exist, the 2019 OSSRA report data shows that after the Equifax data breach, the increase in open source risk awareness and the maturity of commercial software component analysis solutions have made progress:
Enterprises are getting better at managing open source security vulnerabilities. 60% of code bases audited in 2018 contained at least one vulnerability, an improvement from 78% in 2017.
Open source license compliance has also improved overall, with 68% of codebases audited in 2018 containing components with conflicting licenses, compared to 74% in 2017 .
Previous article:From AI to the cloud, Intel open source technologies drive innovation in the software stack
Next article:Riccardo Di Blasio Appointed Chief Revenue Officer at Commvault
- Popular Resources
- Popular amplifiers
AD822AR-3V-REEL- ADLINK Launches AmITX Mini-ITX Motherboard to Power Edge AI and IoT InnovationTwo new series of Mini-ITX motherboards provide energy-efficient, high-performance options for edge AI applications, supporting 14th, 13th, and 12th generation Intel® Core™ i9 i7 i5 i3 and Intel® N97 processors ...
- e-Network Community and NXP launch Smart Space Building Automation ChallengeUse NXP's FRDM development board to freely play and create an automated space Shanghai, China, November 14, 2024 - eNetwork, a global distributor of electronic components products and solutions under Avnet ...
- The Internet of Things helps electric vehicle charging facilities move into the futureThe electric vehicle solutions and technology landscape is changing rapidly, and the integration of IoT technologies is redefining the future of charging facilities. On the other hand, people's demand for smart charging networks is also increasing. ...
- Nordic Semiconductor Launches nRF54L15, nRF54L10 and nRF54L05 Next Generation Wireless SoCsNordic Semiconductor extends its leadership in ultra-low power wireless connectivity for the IoT with the launch of the nRF54L15, nRF54L10 and nRF54L05 next generation wireless SoCs ...
- Face detection based on camera capture video in OPENCV - Mir NXP i.MX93 development boardThis review is provided by the excellent reviewer "eefocus_3914144" of E-Fun. This article will introduce the OpenC based on the Mir Electronics MYD-LMX93 development board (Mir based on the NXP i MX93 development board) ...
- The UK tests drones equipped with nervous systems: no need to frequently land for inspection
- The power of ultra-wideband: reshaping the automotive, mobile and industrial IoT experience
- STMicroelectronics launches highly adaptable and easy-to-connect dual-radio IoT module for metering and asset tracking applications
- This year, the number of IoT connections in my country is expected to exceed 3 billion
- Intel promotes AI with multi-dimensional efforts in technology, application, and ecology
- ChinaJoy Qualcomm Snapdragon Theme Pavilion takes you to experience the new changes in digital entertainment in the 5G era
- Infineon's latest generation IGBT technology platform enables precise control of speed and position
- Two test methods for LED lighting life
- Don't Let Lightning Induced Surges Scare You
- Application of brushless motor controller ML4425/4426
- Easy identification of LED power supply quality
- World's first integrated photovoltaic solar system completed in Israel
- Sliding window mean filter for avr microcontroller AD conversion
- What does call mean in the detailed explanation of ABB robot programming instructions?
- Europe's three largest chip giants re-examine their supply chains
- Breaking through the intelligent competition, Changan Automobile opens the "God's perspective"
- The world's first fully digital chassis, looking forward to the debut of the U7 PHEV and EV versions
- Design of automotive LIN communication simulator based on Renesas MCU
- When will solid-state batteries become popular?
- Adding solid-state batteries, CATL wants to continue to be the "King of Ning"
- The agency predicts that my country's public electric vehicle charging piles will reach 3.6 million this year, accounting for nearly 70% of the world
- U.S. senators urge NHTSA to issue new vehicle safety rules
- Giants step up investment, accelerating the application of solid-state batteries
- Guangzhou Auto Show: End-to-end competition accelerates, autonomous driving fully impacts luxury...
- Reward: Looking for a solution to migrate hard disk recorders and surveillance cameras to the cloud platform. Is it feasible?
- Data delay of wireless module in communication
- Lv Dongfeng: Only by uniting can we become stronger and enter the industry and enterprise market at the right time
- [99 Articles] A Complete Collection of Practical Experience in Rectifying EMI in Switching Power Supplies
- Is there anyone who has done a high frequency injection control algorithm for PMSM?
- How to Desolder a Stamp Hole Bluetooth Module
- Global semiconductor market growth slows down
- May I ask how to connect the AD port to the 51 microcontroller?
- What is "rogue software"?
- ~Computer Trouble Emergency Guide~
京公网安备 11010802033920号