Up to 60 percent of all codebases used in the enterprise contain at least one vulnerability originating from open-source components, new research suggests.
On Tuesday, Black Duck by Synopsys released its annual Open Source Security and Risk Analysis (OSSRA) report, which analyzed the anonymized data of over 1,200 commercial codebases from 2018.
Open-source software, libraries, and other components are often of crucial value to businesses today.
The support of the open-source community, many talented programmers willing to give their time to contribute to projects, code transparency, and quicker implementation times than the development of systems in-house all contribute to the high rates of open-source adoption.
Of all the codebases reviewed by Black Duck, 96 percent contained open-source components, and most of the codebases without open-source contained fewer than 1,000 files. If the figure is revised to codebases with more than 1,000 files, the open-source adoption rate increased to 99 percent.
On average, Black Duck identified 298 open-source components per codebase in 2018 in comparison to 257 in the previous year.
While the benefit of many eyes on a project can mean that open-source code has security advantages, sometimes, vulnerabilities can slip through the net or remain unpatched as developers may not realize they are impacted by a security flaw.
Out of the codebases reviewed, 60 percent contained at least one vulnerability. It does appear, however, that the security situation is improving, as this is a reduced figure from 78 percent in 2017.
In total, Black Duck says that over 40 percent contained vulnerabilities deemed of a critical nature.
"The reality is that open-source is not less secure than proprietary code," the report says. "But neither is it more secure. All software, be it proprietary or open-source, has weaknesses that might become vulnerabilities, which organizations must identify and patch."
The average age of vulnerabilities scanned was 6.6 years. The oldest, CVE-2000-0388, is a buffer overflow flaw in the FreeBSD libmytinfo library which was disclosed 28 years ago. In total, 43 percent of codebases scanned contained a bug over 10 years old, which may suggest businesses are not aware of their open-source use nor manage a catalog of components, which leaves aging software unpatched and open to exploit.
Some of the most critical vulnerabilities found included CVE-2018-7489, a remote code execution FasterXML jackson-databind security flaw; CVE-2017-15095, a deserialization flaw in jackson-databind; CVE-2014-0050, a denial-of-service (DoS) issue impacting Apache Tomcat, JBoss Web, and others; and CVE-2017-15708, a remote code execution bug in Apache Synapse.
The most common bug present in codebases was CVE-2012-6708, a medium-severity XSS problem impacting versions of jQuery before 1.9.0.
"Only a handful of open-source vulnerabilities -- such as those infamously affecting Apache Struts or OpenSSL -- are likely to be widely exploited," the researchers say. 'With that in mind, organizations should focus their open source vulnerability management and mitigation efforts on CVSS scores and the availability of exploits, not only on "day zero" of a vulnerability disclosure but over the life cycle of the open-source component."
Another issue raised in the report is licensing conflicts. In total, 68 percent of the codebases audited contained components with conflicts, and 38% contained components with no identifiable license.
Previous and related coverage
- Adobe Flash security tool Flashmingo debuts in open source community
- Open-source vulnerabilities which will not die: Who is to blame?
- Red Team to help secure open-source software
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0