Tim Mackey, Principal Security Strategist, Synopsys Cybersecurity Research Center, offers his exclusive insight on the recent Open Source Security and Risk Analysis (OSSRA) report.
Believe it or not, the average number of vulnerabilities in commercial software experienced a staggering growth over the year-long lockdown period. In fact, it was up an astounding 93%. This is according to the 6th iteration of the Open Source Security and Risk Analysis (OSSRA) report, produced by the Synopsys Cybersecurity Research Center (CyRC). The report also shows that the number of open source components saw a 19% increase within the year. This means that the number of vulnerabilities is soaring in tandem with the use of open source in codebases.
This year’s OSSRA report consisted of audits of 1,546 commercial software applications performed throughout 2020. These were part of a technical due diligence effort contracted by clients as they were undergoing a merger or acquisition, and as part of the core business of the Black Duck Audit Services team. Every year, the CyRC analyses the data from these audits to build the OSSRA report and highlight any new or developing trends in the use of open source within commercial applications. This way, they can present helpful insights to development teams and contribute to a more augmented understanding of the software ecosystem.
A Summary of the Findings
Of the 1,546 audits, 98% of the applications contained open source. Shockingly, 84% of these had at least one unpatched vulnerability, while an average source code base contained 158. This shows a 9% increase compared to the analysis conducted the year before, and marks the second-highest increase recorded since 2017. Correspondingly, the amount of “high-risk” open source vulnerabilities found within codebases saw a dramatic 11% increase, taking the past year’s number to 60%.
Vulnerabilities that are considered “high-risk” are those which have either been actively exploited in the wild, have documented proof of concept exploits, or are classified as remote code execution vulnerabilities: a type of attack during which hackers run arbitrary commands or code on specific machines, enabling them to execute malicious code and take complete control of the affected devices. When analysing data for the annual OSSRA report, researchers discovered that four of the ‘top ten’ open source vulnerabilities from the previous year re-appeared, although with an increase in percentage.
The report also highlights how patch management related to open source functions within commercial software. 91% of the audited codebases consisted of out-dated open source components that had seen no improvements nor security fixes for two years. So, while the open source community has been actively patching security bugs, companies haven’t been implementing the necessary updates to protect themselves.
However, when companies do apply an update to their codebases, they are potentially exposing themselves to a different risk. This is because a security update to an open source project tends to be simply a release – following the same model as any other release. Consequently, patching a high severity vulnerability requires that any functional changes between the unpatched version and patched version also be applied. This gap requires team to retest their applications to ensure that those functional changes don’t affect the application in unexpected ways.
Finally, the report also assessed open source licensing. It found that over 90% of the codebases contained at least one open source component with either license conflicts, customised licences, or without a grant of license. Worryingly, nearly two-thirds (65%) of codebases contained license conflicts, where licenses have incompatible rights and obligations, while 26% operated without any licence or with a customised one. These issues leave room for potential copyright infringement along with other legal concerns that could impact a successful merger and acquisition transaction.
Securing the Use of Open Source
- Maintain an accurate inventory: Every organisation must have full visibility over all open source components used within their business, including where they came from and how each component releases updates. To be able to implement the correct patches, it is crucial to know exactly what components you have and where they originated.
- Monitor for updates: When it comes to open source, each organisation is responsible for keeping up to date on the newest updates. You don’t want to fall behind and leave room for security gaps that attackers might take advantage of.
- Focus scanning with open source information: When it comes to security scanning, it is best to focus efforts by using your open source inventory to guide triage, remediation and mitigation activity. Since attackers exploit weaknesses, and commercial software is powered by open source components, unpatched open source components might form part of a successful attack pattern.
Ultimately, open source use is only going to continue growing. Subsequently, organisations must remediate security bugs by staying up to date on updates and vulnerabilities within their codebases. We want to avoid the growth of open source use being accompanied by unpatched vulnerabilities. As such, companies must recognise the importance of continuous security monitoring and patching for all software assets – not just the commercial ones.