Open source security: The risk issue is unpatched software, not open source use

Many of the trends in open source use that have presented risk management challenges to organizations in previous years persist today. However, new data also suggest that an inflection point has been reached, with many organizations improving their ability to manage open source risk, possibly due to heightened awareness and the maturation of commercial software composition analysis solutions.

The 2019 Open Source Security and Risk Analysis (OSSRA) report, produced by the Synopsys Cybersecurity Research Center (CyRC), examines the results of more than 1,200 audits of commercial applications and libraries, performed by the Black Duck Audit Services team. The report highlights trends and patterns in open source use, as well as the prevalence of both insecure open source components and license conflicts.

Many organizations are failing to patch or update their open source components. The average age of vulnerabilities identified in 2018 Black Duck Audits was 6.6 years, slightly higher than 2017 — suggesting remediation efforts haven’t improved significantly. Forty-three percent of the codebases scanned in 2018 contained vulnerabilities over 10 years old. When viewed against the backdrop of the National Vulnerability Database adding over 16,500 new vulnerabilities in 2018, its clear patch processes need to scale to accommodate increased disclosures.

The report notes that the use of open source software is not a problem in and of itself, and is, in fact, essential to software innovation. But failing to proactively identify and manage any security and license risks associated with the usage of open source components can be very damaging.

See www.helpnetsecurity.com/2019/0…

#opensource #FOSS #security



source https://squeet.me/display/962c3e10-105c-cc90-4e19-b3e063102071

Comments