By Ian Hall
Open source software provides the foundation for the vast majority of applications across all industries. Earlier this year, the Synopsys Cybersecurity Research Center (CyRC) released the “2021 Open Source Security and Risk Analysis” (OSSRA) report, highlighting the state of open source security and license compliance. The report is an analysis of more than 1,500 audits of commercial codebases, performed by the Black Duck® Audit Services team. Some highlights from this year’s findings include:
- 82% of companies audited within the marketing tech industry sector — which includes lead generation, CRM, and social media — had open source in their codebases
- 82% of healthcare sector codebases contained open source
- 69% for the financial services/fintech sector
- 48% of codebases in the retail and e-commerce sector
It’s not difficult to see why open source software is widely adopted by organisations. Open source solutions promote greater innovation since developers do not need to reinvent core functionality. They can simply utilise a library in whatever language they happen to be using. This also means it is extremely cost effective since that functionality could have taken many days or weeks to write themselves. Additionally, open source communities are comprised of volunteer contributors working to improve and update the code — and as part of that process, vulnerabilities are being patched. And yet, there’s no guarantee that the community behind any given open source project will continue maintaining the code on an ongoing basis.
One of the most alarming findings from this year’s OSSRA report is that 91% of codebases contained open source dependencies with no development activity in the last two years. This means that there were no code improvements or security fixes. This is often an area that is overlooked by developers as the adopt an “insert and forget” mindset, not thinking about the supportability of an open source component into the future.
Of the industries highlighted earlier utilising open source,
- 95% of those codebases in the marketing tech industry sector contained open source vulnerabilities.
- 67% in the healthcare sector
- Over 60% in the financial services/fin-tech sector
- 71% of the codebases in the retail and e-commerce sector contained vulnerabilities
In the world of open source security, ignorance is not bliss. If organisations aren’t proactive about vulnerability updates, they run the risk of becoming an easy target for attackers. Additionally, if they fail to comply with open source licenses, they can put their businesses at risk of litigation and open themselves to threats to their intellectual property.
Therefore, it is critical for organisations to keep track of open source components in their code. After all, you can’t protect what you don’t know you have. The good news is, on the open source front, for active projects — there are hundreds of thousands of people looking at and updating these codebases. So when a bug is discovered, patches are then created. And as an organisation, it’s important to ensure that those vulnerabilities are also being patched. Unfortunately, if projects are no longer active, they will have to be replaced with others or organisations can themselves develop patches and contribute them back into the community.
One conceivable downside exists in that when those patches are created for open source vulnerabilities, they aren’t automatically pushed out to users. The ‘push model’ is what you see on your phone or your laptop when it tells you an update is ready to be installed. If you click the prompt, oftentimes you’ll find the fine print reading “bug fixes and other improvements.” These are security patches and they are being pushed out to us. That makes it quick and easy for us to update and patch.
Open source, on the other hand, presents a ‘pull model’ whereby the user must retrieve the updates and then apply them. If the user doesn’t know they’re using an open source component with a vulnerability, they would not know enough to go retrieve the patch.
Hackers and cybercriminals are paying attention to open source vulnerabilities. As vulnerabilities are publicly disclosed, cybercriminals will try to identify organisations using vulnerable components with the goal of exploiting them. One notorious example of this is the 2017 Equifax breach. The breach resulted in the compromise of social security numbers along with other personal data of more than 147 million customers of the credit reporting giant. The cause? Equifax failed to apply a patch to the popular Apache Struts web application framework. A patch which had been available for several months at the time of the breach.
The 2021 OSSRA report illustrates and affirms the ubiquity of open source software across all industries. It also shows that many industries are struggling to manage open source risks adequately. Organisations and security teams must be proactive in maintaining their code, be aware of what they are using in their code and be sure to apply a patch once a vulnerability is made public, or risk being compromised.
Ian Hall is Asia-Pacific Client Services Manager at Synopsys Software Integrity Group
