Black Duck conducts hundreds of open source code audits annually, primarily related to Merger & Acquisition transactions. Its Center for Open Source Research & Innovation (COSRI) analyzed 1,071 applications audited during 2016 and found both high levels of open source usage – 96% of the apps contained open source – and significant risk to open source security vulnerabilities – more than 60% of the apps contained open source security vulnerabilities.
Notably, audit results of applications from the financial industry contained 52 open source vulnerabilities per application, and 60% of the applications contained high-risk vulnerabilities. The retail and e-commerce industry had the highest proportion of applications with high-risk open source vulnerabilities, with 83% of audited applications containing high-risk vulnerabilities.
Open source license conflicts were widespread. The audited applications contained 147 open source components on average – a daunting number of license obligations to keep track of – and in fact 85% of audited applications contained components with license conflicts. The most common challenges were GPL license violations, with 75% of applications containing components under the GPL family of licenses, but only 45% of those applications were in compliance with GPL obligations.
“Open source use is ubiquitous worldwide and recent research reports show that between 80% and 90% of the code in today’s apps is open source. This isn’t surprising because open source is valuable in lowering dev costs, accelerating innovation and speeding time to market. Our audits confirmed the universal use, but also revealed troubling levels of ineffectiveness in addressing risks related to open source security vulnerabilities and license compliance challenges,” said Black Duck CEO Lou Shipley.
Shipley said he expected the open source audit findings would be eye-opening for security executives because the application layer is a primary target for hackers. “Exploits of open source vulnerabilities are the biggest application security risk that most companies have,” said Shipley.
“Reading this report should be a wake-up call. Everyone is using lots of open source, but as the audits show, very few are doing an adequate job detecting, remediating and monitoring open source vulnerabilities in their applications,” said Chris Fearon, Director at Black Duck’s Northern Ireland based Open Source Security Research Group, the security research arm of COSRI. “The COSRI analysis of the audits clearly demonstrates that organizations in every industry have a long way to go before they are effective in managing their open source.”