Much of the world’s application innovation is now based on open-source software, according to Gartner.
The overwhelming majority of modern codebases contain open-source components, open-source comprise 70% or more of the overall code. Yet paralleling the growth of open-source use is the mounting security risk posed by unmanaged open-source.
According to the 2020 OSSRA report, 75% of the codebases audited by Synopsys contain open-source components with known security vulnerabilities.
The Synopsys Cybersecurity Research Center (CyRC) report, DevSecOps Practices and Open-source Management in 2020, noted that to combat this situation, respondents to the survey cite identification of known security vulnerabilities as the number one criterion when vetting new Open-source components.
“It’s clear that unpatched vulnerabilities are a major source of developer pain, and ultimately business risk," said Tim Mackey, principal security strategist of the Synopsys Cybersecurity Research Center.
He added that “The ‘DevSecOps Practices and Open-source Management in 2020’ report highlights how organisations are struggling to effectively track and manage their open-source risk.
The report noted that 51% acknowledged taking as many as two to three weeks for them to apply an open-source patch
“This is likely tied to the fact that only 38% are using an automated software composition analysis (SCA) tool to identify which open-source components are in use and when updates are released. The remaining organisations are probably employing manual processes to manage open-source — processes that can slow down development and operations teams, forcing them to play catch-up on security in a climate where, on average, dozens of new security disclosures are published daily,” he added.
Other noteworthy findings:
- DevSecOps is rapidly growing worldwide. 63% of respondents reported that they are incorporating some measure of DevSecOps activities into their software development pipelines.
- There is no universally adopted application security testing (AST) tool. There is no shortage of application security testing tools and techniques. Despite the high adoption rate of AST tools, less than half actually use these.
- The media plays an important role in open-source risk management. 46% of respondents noted that media coverage had prompted their organisation to apply more stringent controls on open-source usage.
- 47% of respondents are defining standards around the age of open-source components they use. A growing issue in the open-source community is project sustainability. A 2020 Synopsys study showed that 91% of codebases audited in 2019 contained open-source components that either were more than four years out of date or had no development activity in the past two years.
Security risks increase when obsolete code is deployed, including the threat of an open-source component being hijacked. Such a situation occurred in 2018 when the event-stream component was hijacked to target Bitcoin in Copay accounts.