Open-source software management fails to meet security concerns

A recent survey suggests that the enterprise is more reliant than ever on open-source, but failing to manage and secure it effectively.
Written by Charlie Osborne, Contributing Writer

The enterprise's use of open-source components to bolster its own software and systems is rising, but companies are failing to secure and manage it effectively, new research suggests.

According to Black Duck's latest 2017 Open Source 360 Degree survey, "the effective management of open-source is not keeping pace with the increase in use."

Released on Thursday, the survey, made up of 819 US and EMEA software developers, IT professionals, security experts, and systems architects, says that in the last year there has been a significant uptake in the use of open-source software with almost 60 percent of respondents saying their organizations make use of open-source community-based development.

Cost savings, easy access, and no vendor lock-in systems, as well as the ability to customize code and fix bugs directly all factor into their use of open-source software, and according to 55 percent of those surveyed, open-source software also boosts business innovation.

However, there are concerns with relying heavily on open-source components. According to the research, 66 percent of respondents worry about license risk and the loss of intellectual property through using open-source software.

In total, 64 percent are also concerned about the exposure of internal applications to exploit through vulnerabilities in open-source code, and 71 percent believe that open-source usage may also expose external apps to exploit.

In addition, 61 percent are concerned that development teams may not adhere to internal rules and practices when using open-source software.

To make matters worse, only 15 percent of respondents said their organizations have automated processes in place to manage open-source use, and almost half admitted that their companies have no formal policies in place for selecting or approving open-source software -- which can cause major black spots for security professionals.

Only 54 percent of survey respondents said they believed their organizations were in compliance with open-source licensing demands, only 55 percent said they kept informed of known security vulnerabilities, and 44 percent conform to internal open-source security policies.

The majority of respondents believe a structured process for review and approval of open source use requests, as well as a white and blacklist of approved and banned open-source components are the most crucial elements of a successful open-source policy.

"Companies are using a tremendous amount of open source for sound economic and productivity reasons, but today most companies are not effective in securing and managing it," said Lou Shipley, Black Duck CEO. "Today open-source comprises 80 percent to 90 percent of the code in a modern application and the application layer is a primary target for hackers."

"This means that exploitation from known open source vulnerabilities represents the most significant application security risk most organisations face," Shipley added.

See also: Google's Fuzz bot exposes over 1,000 open-source bugs

The full results of the survey will be published on June 22.

Back in April, Black Duck researchers discovered "significant cross-industry risks" in the use of open-source components within financial enterprise apps, with the majority of software containing unpatched open-source bugs and vulnerabilities -- some of which being over four years old. An average of 52 vulnerabilities was discovered per app.

How to protect your laptop in cargo when you fly (in pictures)

Editorial standards