According to the 2018 Open Source Security and Risk Analysis (OSSRA) report from Black Duck by Synopsys and published today, open source adoption in the enterprise is growing fast. Unfortunately, the statistics regarding vulnerabilities in open source codebases are equally high.
Analysing anonymised data from more than 1,100 commercial codebases, the researchers found that 96 percent of the applications audited across 2017 contained open source components. Representing industries from automotive to healthcare, financial services to manufacturing, and even cyber-security, the report reckons this reflects a 75 percent growth in open source adoption over the previous year. Indeed, the research suggests that most applications now contain more open source code than they do proprietary code.
Which is all good news for fans of open source. The less good news is that 78 percent of the audited codebases contained at least one open source vulnerability. More worrying is that 54 percent of these vulnerabilities were considered to be high-risk, and 17 percent were very well publicised ones such as Freak, Heartbleed and Poodle.
While the most vulnerable open source components were found within the Internet and Software Infrastructure vertical, with 67 percent of applications containing high-risk vulnerabilities, the cyber-security industry also fared badly with 41 percent of apps having them as well.
Dig deeper, and the worries become even greater: 33 percent of codebases containing Apache Struts, for example, also contained the vulnerability that led to the Equifax breach. This accumulation of vulnerabilities within codebases must be of concern, as must the fact that on average the vulnerabilities identified across the board were actually disclosed six years ago.
Tim Mackey, technical evangelist at Black Duck by Synopsys, told SC Media UK that despite these figures "there is no evidence that suggests open source code is less secure than commercial code" and "many would argue that open source code is more secure, as it benefits from the scrutiny of 'many eyes' in the broad and diverse open source community." The onus to improve the situation doesn't fall on the open source community, according to Mackey, but rather "the 96 percent of commercial organisations consuming open source need to adopt policies and automated tools to help them select secure, high quality open source components from the outset and patch or update them when critical vulnerabilities are disclosed."
SC Media UK has just returned from the Red Hat Summit in San Francisco, and took the opportunity to catch up with Red Hat's chief security architect, Mike Bursell who disagrees with Mackey. "The open source community does need to apply more eyes" Bursell insists "specifically more expert eyes". His argument being that the dictum of many eyes making all bugs shallow can be somewhat misleading if the people looking at the code are either not experts or simply not looking particularly for vulnerabilities. "The community also needs to use its resources wisely" Bursell continues "which projects are most important to users, and which would have the most impact if problems were found?" Where Bursell is in agreement with Mackey, is that there's little evidence to suggest proprietary code contains fewer vulnerabilities than open source. "It is, however, easier to hush vulnerabilities up when they are discovered in proprietary code" Bursell concludes "and they almost always are..."
And what of the news that the cyber-security industry is so badly impacted by high-risk open source vulnerabilities within its apps? Ian Trump, chief technology officer at Octopi Research Lab told SC Media UK that we need to keep things in perspective. "To be truly meaningful the vulnerabilities need to be exploitable and the vast majority of those vulnerabilities are not remote code executable with user level of privileges" Trump explains. "I expected this revelation, but sunlight and scrutiny of code is the best debug technique out there..."