The risks of managing open source security manually versus using automated software composition analysis can result in massive risks: report

Open source is playing a critical role in today’s software ecosystems. A large portion of modern codebases contain open source components, often comprising 70% or more of the overall code.

Yet, paralleling the growth of open source use is the mounting security risk posed by unmanaged open source. According to a Synopsys Cybersecurity Research Center  report covering 1,500 IT professionals, 75% of the codebases audited by the firm contained open source components with known security vulnerabilities.

The report explores the strategies that organizations around the world are using to address open source vulnerability management as well as the growing problem of outdated or abandoned open source components in commercial code. Some findings include:

  • DevSecOps is rapidly growing worldwide. 63% of respondents reported that they were incorporating some measure of DevSecOps activities into their software development pipelines.
  • Identification of known security vulnerabilities is often the number one criterion when vetting new open source components.
  • There is no universally adopted application security testing (AST) tool. There is no shortage of application security testing tools and techniques. However, even the AST tool with the highest adoption rate was still only utilized by less than half of respondents.
  • The media plays an important role in open source risk management. 46% of respondents noted that media coverage had prompted their organization to apply more stringent controls on open source usage.
  • About 47% of respondents are defining standards around the age of open source components they use. A growing issue in the open source community is project sustainability. A 2020 Synopsys study had showed that 91% of codebases audited in 2019 contained open source components that either were more than four years out of date or had had no development activity in the past two years. Security risks increase when obsolete code is deployed, including the threat of an open source component being hijacked. Such a situation occurred in 2018 when the event-stream component was hijacked to target Bitcoin in Copay accounts. 

According to Tim Mackey, the firm’s Principal Security Strategist: “It’s clear that unpatched vulnerabilities are a major source of developer pain, and ultimately business risk. Our report highlights how organizations are struggling to effectively track and manage their open source risk. Some 51% said it takes two to three weeks for them to apply an open source patch. This is likely tied to the fact that only 38% are using an automated software composition analysis (SCA) tool to identify which open source components are in use and when updates are released. The remaining organizations are probably employing manual processes to manage open source: processes that can slow down development and operations teams, forcing them to play catch-up on security in a climate where, on average, dozens of new security disclosures are published daily.”