We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 - 28. Join AI and data leaders for insightful talks and exciting networking opportunities. Register today!
The number of codebases containing at least one open source vulnerability increased by nine percentage points in 2020, according to a new report from Synopsys, the silicon design company behind open source security management platform Black Duck.
In the sixth Open Source Security and Risk Analysis (OSSRA) report, Synopsys said it has provided an “in-depth snapshot of open source security, compliance, licensing, and code quality risk in commercial software,” observing that of the 1,546 commercial codebases scanned by Black Duck in 2020, 84% contained at least one open source vulnerability — up from 75% in last year’s report.
Most modern software relies to some degree on open source software, as it saves companies the time and resources needed to develop and maintain every component internally. Black Duck, which Synopsys bought in 2017 for $547 million, is one of several software composition analysis (SCA) platforms, with others including Sonatype, which was acquired by Vista Equity Partners in 2019; Snyk, which recently closed a $300 million round of funding; and WhiteSource, which last week raised $75 million. Companies use these platforms to identify every open source component in their stack to surface vulnerabilities and license compliance risks. And it’s these open source “audits” Synopsys and Black Duck primarily use as the basis for their annual OSSRA report.
The 1,546 codebases that constituted this year’s report spanned 17 industries, including aerospace, fintech, IoT, and telecommunications, with Synopsys concluding that 98% of codebases contain open source code. This is marginally down from the 99% it reported last year, but incremental deviations are to be expected — the bottom line is that most applications continue to rely on open source components.
So why would vulnerabilities be spreading at this rate? Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Center (CyRC), thinks that while there are some complexities behind the growth of vulnerabilities, for most companies the problem is essentially one of scale.
“If you look at the average number of components in an application over the last three years, it’s gone from 298 to 445 and now to 528,” he told VentureBeat. “If someone designed their update and patching processes to manage 300 components per app in 2018, they probably didn’t expect usage to grow that much in two years. Then if you overlay that US-CERT (U.S. cybersecurity and infrastructure agency) reported an average of slightly more than 48 new CVEs (common vulnerabilities and exposures) each day in 2020, keeping up with patching is a huge problem.”
At the heart of the problem is the vast array of open source software packages out there. A slew of tools have emerged to help developers and companies make sense of the open source world. Openbase, for example, wants to be the Yelp for open source software packages. OpenLogic’s Stack Builder, meanwhile, helps enterprises choose the right combination of open source software for their needs. And Two Sigma Ventures’ Open Source Index highlights GitHub’s most popular projects right now.
But while selecting the right package is important, keeping abreast of updates is equally essential. In short, developers often struggle to keep on top of their open source stack and remember where they got their open source components from when it’s time to download patches. This is an area where companies such as Synopsys are carving their niche.
The broad industry consensus is that vulnerabilities are rife within open source code, and bad actors are hell-bent on exploiting them. In its State of Software Security: Open Source Edition report last year, app security company Veracode noted that 70% of applications contained a security flaw in an open source library, while Sonatype recently reported a 430% surge in attacks targeting open source software supply chains.
But not all vulnerabilities are created equal, and many offer limited scope for hackers to exploit. In an interview with VentureBeat this week, WhiteSource CEO and cofounder Rami Sass said the company’s research showed that only “15% to 30% of vulnerabilities are effective — the majority of open source vulnerabilities are not called by the proprietary code.”
This means it’s important to distinguish between imminently dangerous vulnerabilities and minor flaws. With that in mind, Synopsys’s latest report found that the percentage of codebases containing high-risk open source vulnerabilities grew 11 percentage points to 60% in 2020, with “high-risk” defined as a vulnerability that has been actively exploited, has “documented proof-of-concept exploits,” or has been “classified as a remote code execution vulnerability.”
Moreover, several of the top 10 open source vulnerabilities identified in the 2019 report not only reared their heads again in 2020 but showed sizable percentage increases — this, according to Mackey, was the biggest surprise the company saw in its audit.
“Normally, we’d expect to see exposure to any given CVE decline over time,” he said. “After all, once a vulnerability is reported, most teams will want to apply the patch.”
The top two vulnerabilities were related to jQuery, and both demonstrated double-digit year-on-year growth.
Away from the vulnerability sphere, the latest OSSRA report found that the number of codebases containing open source license conflicts fell marginally year-on-year from 67% to 65%, with nearly three-quarters of these related to a GNU General Public License.
Meanwhile, 26% of the codebases used open source with either no license or a customized license. This is important because customized open source licenses often need to be evaluated for potential IP issues or legal uncertainties.
Elsewhere, the report showed that 91% of codebases contained open source dependencies with zero development activity in the past two years, up from 88% the previous year. This might not be a problem, but it means the vast majority of codebases, according to Synopsys audits, contain an open source dependency with no recent new features, enhancements, or — more importantly — security fixes.
What does this all mean? For one thing, software — open source or otherwise — can become vulnerable if nobody is at the wheel. This is why the Linux Foundation set up the The Core Infrastructure Initiative (CII), with backing from tech heavyweights such as Amazon, Google, Microsoft, Cisco, IBM, and Intel, to support open source projects that are critical to the internet and related devices and systems.
But it also means enterprise-focused commercial companies can monetize open source projects with the promise of added features and (enhanced) security. And companies such as Synopsys, WhiteSource, Snyk, and Sonatype can build billion-dollar businesses by helping developer teams keep on top of their open source stack and ensuring major flaws are addressed quickly.
VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn more about membership.