It seems that the situation around the security of the software of Open Source it is increasingly worrying, or at least that is the impression given by the trickle of reports warning in this regard. After VMWare published a study showing a drop in trust, now Synosys is warning that a huge percentage of code bases contain at least one serious vulnerability.
According to a report published by the Synopsys Cybersecurity Research Center called Open Source Security and Risk Analysis, 84% of 1,703 code bases it has scanned in 2022 contained at least one vulnerability. Another detail to note is that 48% of the same code bases had high-risk vulnerabilities.
Although the report focuses on open source, it is important to note that it is not exclusively focused on that, but rather on the code bases that contain Open Source. The following graph shows how the percentages of code bases that contain Open Source and of code in the bases themselves that was open has been decreasing in recent years, despite marking percentages of 96 and 76 percent respectively. .
Another piece of information of interest collected by the report and coming from Gartner is that 45% of the organizations in the world will receive an attack through a vulnerability present in their supply chain by the year 2025which is a not inconsiderable amount, although according to what we already know.
Synopsys explains that if an organization is unable to properly manage the security of the open source and third-party software it employs, no further efforts will be useful if the foundations are not properly maintained: “Managing this software means gaining complete visibility into its dependencies and have the ability to easily collect information related to the risk introduced by these components. Once this risk has been identified, you need tools and practices to manage, prioritize and remediate it.”
Far from betting directly on obscurantism as a way to improve security, Synopsys advocates carry out a complete inventory of all the software used by a company, whether open source, proprietary or commercial, regardless of its place of origin. This would involve creating a Software Bill of Materials (SBOM) listing all of an application’s open source components, as well as their licenses, versions, and patch status.
In contrast to the data mentioned, the situation of the adoption of Open Source within the code bases has improved if the last five years are taken. The presence of open source in the bases scanned by Synopsys it has increased between 2018 and 2022 by 163% in educational technology (EDTech); 97% in the aeronautical, aviation and automotive industries; and 74% in manufacturing and robotics. The explosive rise in EDTech has mainly occurred in the time of the pandemic.
The growth in the adoption of Open Source between the years 2018 and 2023 has been accompanied, although not necessarily in a related way, by a 557% increase in the number of high-risk vulnerabilities. From here we can highlight the aerospace, aviation, automotive, transportation and vertical logistics sectors, which together experienced a 232% increase in high-risk vulnerabilities found in their code bases.
When it comes to IoT, a classic when it comes to poor security and poorly maintained software, 100% of the codebases analyzed by Synopsys contained open source. However, the number of high-risk vulnerabilities increased by 130% from 2018 to the present year, and 53% of audited applications contained high-risk vulnerabilities. IoT security issues are old and stem mainly from poorly maintained software. The severity of the problem has been such that the most powerful DDoS attacks ever seen have come from this front.
Synopsys reports that the Black Duck Audit Services team has audited 1,481 code bases to find that 91% of them contain open source components that are not up to date. Outdated software is another typical pathway for security flaws to accumulate that make it easy for malicious actors.
In addition to security issues, the Open Source Security and Risk Analysis report. In this area, Black Duck Audit Services has found that 54% of code bases contained conflicts with open source licenses in 2022. This is an increase of 2% compared to the previous year, but a decrease of 17%. compared to the year 2020. The license that has caused the most conflicts (due to non-compliance) is the Creative Commons Attribution-Share Alike 3.0 (CC BY-SA 3.0), since 22% of the audited code bases had a conflict with she.
Synopsys has also agreed to the GPL, the license with copyleft more popular. Here most of the conflicts stem from the inclusion of licensed source code in proprietary software whose code is not publicly available and under a compatible license (for example, UNRAR source code is publicly available, but under a compatible license). proprietary license). On the other hand, 31% of audited code bases in 2022 were released under an indiscernible or custom license, which represents an increase of 55% compared to the previous year. An example is JSON, whose license is an MIT modified with the restriction of “the software will be used for good, not for evil”, which may represent a breach of the principles of free software.
In addition to license conflicts, there is also unlicensed software. Synopsys points out that, although it is logical to think that if that code is available it is for others to use it, the lack of a clear license around its publication makes copyright law disagree on the free use of said code. code.
And here are the most interesting points of the Synopsis Open Source Security and Risk Analysis report, which has much more data related to the use of Open Source in code bases, the security of the code bases themselves and around to the licences.