There is no doubt that open source code plays a key role in the development of universal software. In fact, Synopsys Software Security Corporation has confirmed that open source code accounts for seven out of ten lines of code in the middle application. Among the most popular are jQuery, which is present in more than half (55%) of the codebases, followed by Bootstrap with 40% and Font Awesome with 31%.
What really worries us, however, is the widespread neglect of software developers who ensure that these code bases are kept up-to-date and protected. Analysis of more than 1,250 commercial code bases since 2019 has shown that a shocking 91% of the code bases contain components that have either been outdated for more than four years or have been completely abandoned. As a result, applications remain vulnerable to operational or compatibility issues, but more importantly, they are at high risk of being compromised.
In fact, 75% of these code bases are infected with vulnerabilities, which increased by 15% in 2018 compared to the previous year. While the Heartbleed bug and the Apache Struts vulnerability used in the 2017 EquiFax breach no longer appear to be an active threat, 49% of high-risk vulnerabilities remain.
It’s hard to deny that open source plays a crucial role in the development and implementation of modern software, but it’s easy to lose sight of how it affects the security and compliance risks of your application licenses.
The OSSRA 2020 report shows how organizations continue to struggle to effectively identify and manage their OSS risks, said Tim Mackey, head of security strategy at Synopsys Cyber Security Research Center.
To exacerbate the problem, DevOps’ teams skate on thin ice regarding copyright compliance. Indeed, it turned out that 73% of the verified codebases had license conflicts or no visible license.
In this context, Synopsys has made a number of recommendations for risk reduction. First, software development teams must make a detailed software inventory or hardware summary, highlighting all the components and versions of open source software they use. In fact, Mr. Mackey adds that maintaining and updating an accurate inventory of third-party software components, including OSS dependencies, is an important starting point for addressing the risks associated with multi-tier applications.
It is therefore essential that teams not only keep a close eye on changes and the release of new threats and vulnerabilities, but also have a policy and procedure plan to proactively manage the open source components. If software is a fundamental aspect of evaluating an organization, it may be worth having a third party review the code. Finally, it is suggested that everyone from code writers to information security experts and legal advisors come together to share their talents in the free software community.