Open source rules. Everyone from Apple to Microsoft to Zoom uses it. Don't believe me? Synopsys, a software and silicon design company, which also covers intellectual property, reported in its 2020 Open Source Security and Risk Analysis (OSSRA) report that nearly all (99%) of audited codebases contained at least one open-source component. That's good news. The bad news is 91% of the codebases containing components were either more than four years out of date or had seen no development activity in the last two years.
Not good. Underlining how disturbing this is, Synopsys Cybersecurity Research Center (CyRC) found that open source made up 70% of all. That's a lot of aged and abandoned open-source software. Old software, unlike fine wine, does not age well.
The report is based on the results of over 1,250 commercial codebase audits. Even more worrying is that 75% of audited codebases contain open-source components with known security vulnerabilities. That's up from 60% in 2019. Almost half (49%) of the codebases contained high-risk vulnerabilities. That's up from 40% last year.
"It's difficult to dismiss the vital role that open source plays in modern software development and deployment, but it's easy to overlook how it impacts your application risk posture from a security and license compliance perspective," said Tim Mackey, CyRC's principal security strategist. "The 2020 OSSRA report highlights how organizations continue to struggle to effectively track and manage their open-source risk. Maintaining an accurate inventory of third-party software components, including open source dependencies, and keeping it up to date is a key starting point to address application risk on multiple levels."
Apart from security worries, another concern is that 68% of codebases contained some open-source license conflicts. Worst still, 33% contained open-source code with no identifiable license. While comparatively invisible compared to security holes, potential intellectual property (IP) clashes can also endanger your company.
What can you do about this, besides having Synopys's Black Duck Audit Services, or similar companies, audit your code?
Gartner analyst Dale Gardner, in his recent research paper Technology Insight for Software Composition Analysis, thinks we need a software bill of materials (BOM). This would give companies a comprehensive look into the open-source and commercial components and frameworks used in an application or service. Gardner said organizations should "continuously build a detailed software bill of materials (BOM) for each application providing full visibility into components."
With all these outdated and insecure components in all our programs and our increasingly software-based hardware, this is an excellent idea. As Frank Nagle, a professor at Harvard Business School and co-director of the Linux Foundation's Census II project that surveys essential open-source code, said:
"FOSS was long seen as the domain of hobbyists and tinkerers. However, it has now become an integral component of the modern economy and is a fundamental building block of everyday technologies like smartphones, cars, the Internet of Things, and numerous pieces of critical infrastructure. Understanding which components are most widely used and most vulnerable will allow us to help ensure the continued health of the ecosystem and the digital economy."
This isn't just a good idea moving forward. It's essential for not just our coding and our productivity, but for our safety as well.