With 96% of all apps containing open-source components, it should be alarming to learn that two-thirds of all apps using open source (60+%) contain known software vulnerabilities.
And, 85% contain license conflicts.
That’s according to the second-annual 2017 Open Source Security & Risk Analysis report from Black Duck’s Center for Open Source Research and Innovation (COSRI), which examined findings from more than 1,000 commercial applications audited in 2016. The firm found that financial services, retail and e-commerce companies’ systems had the highest number of vulnerabilities per application.
Notably, audit results of applications from the financial industry contained 52 open source vulnerabilities per application, and 60% of the applications contained high-risk vulnerabilities. The retail and e-commerce industry had the highest proportion of applications with high-risk open source vulnerabilities, with 83% of audited applications containing high-risk vulnerabilities.
“Reading this report should be a wake-up call. Everyone is using lots of open source, but as the audits show, very few are doing an adequate job detecting, remediating and monitoring open source vulnerabilities in their applications,” said Chris Fearon, director at Black Duck’s Northern Ireland based Open Source Security Research Group, the security research arm of COSRI. “The COSRI analysis of the audits clearly demonstrate that organizations in every industry have a long way to go before they are effective in managing their open source.”
The widespread open-source license conflicts can be attributed to the fact that the audited applications contained 147 open source components on average—a daunting number of license obligations of which to keep track. The most common challenges were GPL license violations, with 75% of applications containing components under the GPL family of licenses. But, only 45% of those applications in compliance with GPL obligations.
“Open-source use is ubiquitous worldwide and recent research reports show that between 80% and 90% of the code in today’s apps is open-source,” said Black Duck CEO Lou Shipley. “This isn’t surprising, because open-source is valuable in lowering dev costs, accelerating innovation and speeding time to market. Our audits confirmed the universal use, but also revealed troubling levels of ineffectiveness in addressing risks related to open source security vulnerabilities and license compliance challenges.”
Shipley said he expected the open-source audit findings to be eye-opening for security executives, because the application layer is a primary target for hackers: “Exploits of open-source vulnerabilities are the biggest application security risk that most companies have.”