Open-source vulnerabilities plague enterprise codebase systems

Vulnerabilities including the bug reportedly responsible for Equifax's data breach are still common elements of open-source systems used in the enterprise.
Written by Charlie Osborne, Contributing Writer

A new report into the state of enterprise security suggests that the majority of codebases in use contain known vulnerabilities due to the use of open-source components.

On Tuesday, Synopsys released the Black Duck by Synopsys 2018 Open Source Security and Risk Analysis (OSSRA) report, which found that open-source adoption is on the rise in the enterprise -- but security controls have not necessarily matched the pace.

Open-source projects, software, and library adoption have become a common theme in the enterprise. Open-source systems can save a vast amount of time and money for developers and businesses alike and many well-known players in fields ranging from technology to core services use open-source components on a daily basis.

However, the nature of open-source projects means that as developers are giving away their time for free, sometimes, bugs may escape the net and cause chaos further down the line unless users and staff are aware of its use and maintain regular security checks.

In 2017, for example, Equifax blamed open-source Apache Struts usage for a cyberattack which led to the compromise of 143 million records.

In the same year, Black Duck Software researchers found through an audit of 1,000 commonly-used applications in the enterprise that 96 percent utilized open-source software, and over 60 percent contained security vulnerabilities due to these components.

Some of the bugs found were over four years old.

It seems little has changed. The Burlington, Mass.,-based firm's latest research suggests that a third of enterprise codebases have still not patched the same vulnerability which caused Equifax such heartache.

After auditing a total of 1,100 commercial databases used by companies in industries including cybersecurity, automotive, healthcare, manufacturing, and mobile applications, the average number of open-source components found per codebase was 257, an uptick of 75 percent over a 12-month period.

However, 78 percent of the codebases examined contained at least one security vulnerability due to open-source components, and on average, 64 vulnerabilities per codebase were found. Many of the security flaws uncovered in the codebases were publicly disclosed as far back as six years ago.

According to the researchers, over 54 percent of the vulnerabilities found are critical issues, and 17 percent contained well-known bugs such as Heartbleed, Logjam, Freak, Drown, or Poodle.

See also: This malware is harvesting saved credentials in Chrome, Firefox browsers

In total, eight percent of the databases utilized Apache Struts, and 33 percent of these codebases contained the vulnerability (CVE-2017-5638) which apparently was at fault for the Equifax breach.

Perhaps ironically, the most vulnerabilities were present in codebases used in the IT & software infrastructure industry, and cybersecurity systems, at 67 percent and 41 percent respectively.


"Since modern software and infrastructure depend heavily on open-source technologies, having a clear view of components in use is a key part of corporate governance," said Tim Mackey, Technical Evangelist at Black Duck by Synopsys. "With the growth in open-source use, organizations need to ensure they have the tools to detect vulnerabilities in open-source components and manage whatever license compliance their use of open source may require."

The top open-source rookies, projects in 2018

Previous and related coverage

Editorial standards