Nine in ten biz applications harbor out-of-date, unsupported, insecure open-source code, study shows:
Ninety-one per cent of commercial applications include outdated or abandoned open source components, underscoring the potential vulnerability of organizations using untended code, according to a software review.
Synopsys, a California-based design automation biz, conducted an audit of 1,253 commercial codebases in 17 industries for its 2020 Open Source Security and Risk Analysis report.
It found that almost all (99 per cent) of the codebases examined have at least one open source component and that 70 per cent of the code overall is open source. That's about twice as much as the company's 2015 report, which found only 36 per cent of audited code was open source.
Good news then, open source code has become more important to organizations, but its risks have followed, exemplified by vulnerabilities like the 2014 Heartbleed memory disclosure bug and Apache Struts flaws identified in 2017 and 2018.
Ninety-one percent of the audited applications had components that are either four years out of date or have exhibited no active development for two years. In 2019 – the time-period covered by the 2020 report – the percentage of codebases containing vulnerable components rose to 75 per cent, up from 60 per cent in 2018.
The percentage of applications afflicted with high-risk flaws reached 49 per cent in 2019, up from 40 per cent in 2018.
[Ed Note - The company that produced this report, Synopsis, is a vendor in this space and is not a disinterested party.]
(Score: 3, Interesting) by JoeMerchant on Saturday May 16 2020, @02:21PM (3 children)
At a certain level of corporate management, the managers don't know anything but how to manage - and a purchased "solution" with a guarantee sticker on the contract is an end to that particular problem, in their minds - which is all that matters to them.
If you haven't paid for it, there's nobody to blame when it goes wrong.
🌻🌻 [google.com]
(Score: 4, Interesting) by acid andy on Saturday May 16 2020, @03:01PM (2 children)
Sounds like FOSS could go out of fashion with these types then. Or rather, that's what vendors like Synopsis are probably hoping will happen.
Consumerism is poison.
(Score: 3, Interesting) by JoeMerchant on Saturday May 16 2020, @09:35PM (1 child)
FOSS is a pretty hard sell at bigger companies, ours is accepting it grudgingly because we grow by acquisition and all of the best and brightest acquisitions are full of open source. We still get periodic spasms of reporting requirements from the legal department, they ask for something they think they want (like a list of ALL OSS packages in the product with their license terms), I produce a vague sketch of what that will look like for them (our latest product comes with Ubuntu 18.04 - they were proposing a decomposition of every license in every piece of it...), they backpedal and decide they're happy with a list of "just the big stuff..."
🌻🌻 [google.com]
(Score: 1, Interesting) by Anonymous Coward on Sunday May 17 2020, @05:54AM
Our legal department checks the entirety of the software that even touches our product or the machines it is made on. Because most licenses used anymore are standardized, you just have to look at it once to decide whether you like the terms or not. Then use the publicly available tools to track your database for changes. Packages and auditing systems make doing that a snap. Everyone's headaches have gone away since we formalized the process. For 95% of software, they don't even have to ask because our internal documentation already covers the Dos/Don'ts of a particular license and the system notices the addition automatically. Of course it is more work up front, but it drastically reduced the time it takes now, lowered various expenses and even increased productivity. We literally make money thanks to doing so.