Slash Boxes

SoylentNews is people

posted by Fnord666 on Saturday May 16 2020, @09:42AM   Printer-friendly
from the vet-your-libraries dept.

Nine in ten biz applications harbor out-of-date, unsupported, insecure open-source code, study shows:

Ninety-one per cent of commercial applications include outdated or abandoned open source components, underscoring the potential vulnerability of organizations using untended code, according to a software review.

Synopsys, a California-based design automation biz, conducted an audit of 1,253 commercial codebases in 17 industries for its 2020 Open Source Security and Risk Analysis report.

It found that almost all (99 per cent) of the codebases examined have at least one open source component and that 70 per cent of the code overall is open source. That's about twice as much as the company's 2015 report, which found only 36 per cent of audited code was open source.

Good news then, open source code has become more important to organizations, but its risks have followed, exemplified by vulnerabilities like the 2014 Heartbleed memory disclosure bug and Apache Struts flaws identified in 2017 and 2018.

Ninety-one percent of the audited applications had components that are either four years out of date or have exhibited no active development for two years. In 2019 – the time-period covered by the 2020 report – the percentage of codebases containing vulnerable components rose to 75 per cent, up from 60 per cent in 2018.

The percentage of applications afflicted with high-risk flaws reached 49 per cent in 2019, up from 40 per cent in 2018.

[Ed Note - The company that produced this report, Synopsis, is a vendor in this space and is not a disinterested party.]

Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Saturday May 16 2020, @10:34AM (1 child)

    by Anonymous Coward on Saturday May 16 2020, @10:34AM (#994947)

    "include outdated or abandoned open source components" is not the same as "insecure", and does not mean it is "vulnerable"

    I agree with you on this. If you look at some of the GNU system tools, some haven't been touched in years. They do their work and they just work.

    OTOH though, in the years that I have used open source software (since late 90's) I've seen numerous examples where I was advised to migrate away from a software component because it was unmaintained AND has security issues.

  • (Score: 2) by driverless on Sunday May 17 2020, @05:29AM

    by driverless (4770) on Sunday May 17 2020, @05:29AM (#995263)

    Also, this is the commercial world, with contracts and SLAs and support requirements. You can't just swap out a software component because it's newer and shinier, you have to do things under very carefully controlled conditions during service windows, with months or possibly years of advance planning and notice. We do commercial open-source and many of our customers are running ancient versions of the code for exactly these reasons, once it's in place and verified to be operating as required it doesn't get touched any more.

    We also have to deal with people who think you can upgrade your entire user base twice a week with the latest shiny whatever, like it was a smart phone app or browser. It's very hard, if not impossible, to get through to them that a lot of the world doesn't work like that.