Tim Mackey, Technology Evangelist, Black Duck Software
The arguments for open source are straightforward – open source lowers development costs, speeds time to market, and accelerates innovation. When it comes to developing software, every organisation wants to spend less time on what are becoming code commodities — such as the core operating system and components connecting the various pieces together —and focus on unique features that will differentiate their brand. The open source model supports that objective by expediting every aspect of agile product development.
But visibility and control of open source are essential to maintain the security, licence compliance, and code quality of software applications and platforms.
During 2016, Black Duck’s Center for Open Source Research and Innovation (COSRI) examined findings from the anonymised data of more than 1,000 commercial applications to compile our annual Open Source Security and Risk Analysis (OSSRA) report and provide an in-depth look at the current state of open source security, compliance, and code-quality risk in commercial software. Our goal was to offer organisations a better understanding of:
- How much open source is being used in the average application?
- Which components and versions are most popular?
- What licences are most common?
- Which components pose the highest security threat to applications?
- Where do the most vulnerabilities show up and how long have they been there?
- Which industries are managing open source well and which are putting their applications at risk?
Alarming Vulnerability Risk Across Verticals
Given that open source is at the core of commercial application development, it should be no surprise that almost all – 96 percent – of the applications scanned in the COSRI analysis utilised open source, with the respective applications having nearly 150 unique open source components on average. What may come as a surprise was that 67 percent of the applications containing open source also had known vulnerabilities, and legal risks were even more widespread.
From an industry level, the results are even more alarming. The Retail and E-commerce space had the highest proportion – 83 percent - of applications containing high-severity vulnerabilities. The Financial Services and FinTech industry had the highest – 53 percent – average vulnerabilities per application, with 60 percent of those applications containing high-risk vulnerabilities. Ironically, the audits also revealed that cybersecurity applications had a disturbingly high incidence – 59 percent – of high-risk vulnerabilities.
These vulnerabilities (and, in many cases, associated exploits) have, on average, been publicly disclosed for slightly over four years, giving would-be hackers a ripe target. In short, companies across all verticals have a lot of work to do to close the open source vulnerability management gap.
Many organisations are only starting to recognise a key attribute of open source software – security is a collaborative effort between creator and consumer. Unlike commercial software, open source projects often lack direct consumer engagement and thus are unaware of who their users are. This lack of direct engagement transfers responsibility for security response from the creator to the consumer. It then becomes the responsibility of organisations to both inventory their use of open source software and components and then proactively monitor for security issues disclosed against that bill of materials.
Licence Compliance also a Risk Across Verticals
While security risk tends to get the headlines because of high-profile vulnerabilities such as the recent Apache Struts 2, Heartbleed, and Shellshock, it is also important to recognise the importance of open source licence compliance in reducing risk.
Most open source components are governed by one of about 2,500 known open source licences, and the licence obligations can only be tracked and managed if the components themselves are identified.
Eight-five percent of the applications audited by the COSRI team contained components with licence conflicts, the most common of which were GPL licence violations. Seventy-five percent of applications contained components under the GPL family of licences, but only 45 percent of those applications complied with GPL obligations.
However, components with no identifiable licence terms are problematic. While only about one percent of components analysed for the OSSRA had no clear licence, these components were found in 53 percent of applications scanned.
Software that does not have a licence generally means no one has permission from the creator(s) of the software to use, modify, or share the software. Creative work (which includes code), is under exclusive copyright by default. Unless a licence specifies otherwise, nobody else can use, copy, distribute, or modify that work without being at risk of litigation. Lack of clear statements of rights and obligations leaves teams at greater risk of violation of “hidden” terms. As one open source-savvy attorney has put it, “At least with the GPL, you know what you are dealing with.”
Recommendation: Know Your Code
While today’s open source management landscape can only be termed substandard at best, OSSRA also points out a path forward for organisations who want to do better, providing steps they can take to defend against security threats and licence risks. The key takeaways here are:
- Make sure you have a full and accurate inventory of the open source in your applications
- Map your open source to known security vulnerabilities referenceable at public sources like the National Vulnerability Database
- Track and manage the licence and quality risks in your code
- Set and enforce open source risk policies to mitigate the risks to your organisation
- Monitor for new security threats that are being revealed every day
Organisations will continue to take advantage of the many benefits of open source in application development, building applications cheaper, faster, and with increased feature functionality, but should recognise the need to effectively manage the risks of open source use. The full findings of the 2017 Open Source Security and Risk Analysis can be downloaded here.