https://www.zdnet.com/article/out-of-date-insecure-open-source-software-is-everywhere/
> Synopsys has found that 99% of commercial software programs include at least > one open-source component. But 91% of those included out of date or abandoned > open-source code. > > By Steven J. Vaughan-Nichols for Linux and Open Source | May 12, 2020 -- > 19:15 GMT (05:15 AEST) | Topic: Security > Open Source > > Open-source giant Red Hat has a new CEO > Huawei changes its patent story > Linux and open-source conferences: List of what's canceled or going > virtual > Open source hardware: The problems and promise (TechRepublic) > > Open source rules. Everyone from Apple to Microsoft to Zoom uses it. Don't > believe me? Synopsys, a software and silicon design company, which also > covers intellectual property, reported in its 2020 Open Source Security and > Risk Analysis (OSSRA) report that nearly all (99%) of audited codebases > contained at least one open-source component. That's good news. The bad news > is 91% of the codebases containing components were either more than four > years out of date or had seen no development activity in the last two years. > > Not good. Underlining how disturbing this is, Synopsys Cybersecurity Research > Center (CyRC) found that open source made up 70% of all. That's a lot of > aged and abandoned open-source software. Old software, unlike fine wine, does > not age well. > > The report is based on the results of over 1,250 commercial codebase audits. > Even more worrying is that 75% of audited codebases contain open-source > components with known security vulnerabilities. That's up from 60% in 2019. > Almost half (49%) of the codebases contained high-risk vulnerabilities. > That's up from 40% last year. > > "It's difficult to dismiss the vital role that open source plays in modern > software development and deployment, but it's easy to overlook how it impacts > your application risk posture from a security and license compliance > perspective," said Tim Mackey, CyRC's principal security strategist. "The > 2020 OSSRA report highlights how organizations continue to struggle to > effectively track and manage their open-source risk. Maintaining an accurate > inventory of third-party software components, including open source > dependencies, and keeping it up to date is a key starting point to address > application risk on multiple levels." > > Apart from security worries, another concern is that 68% of codebases > contained some open-source license conflicts. Worst still, 33% contained > open-source code with no identifiable license. While comparatively invisible > compared to security holes, potential intellectual property (IP) clashes can > also endanger your company. > > What can you do about this, besides having Synopys's Black Duck Audit > Services, or similar companies, audit your code? > > Gartner analyst Dale Gardner, in his recent research paper Technology Insight > for Software Composition Analysis, thinks we need a software bill of > materials (BOM). This would give companies a comprehensive look into the > open-source and commercial components and frameworks used in an application > or service. Gardner said organizations should "continuously build a detailed > software bill of materials (BOM) for each application providing full > visibility into components." > > With all these outdated and insecure components in all our programs and our > increasingly software-based hardware, this is an excellent idea. As Frank > Nagle, a professor at Harvard Business School and co-director of the Linux > Foundation's Census II project that surveys essential open-source code, said: > > "FOSS was long seen as the domain of hobbyists and tinkerers. However, it > has now become an integral component of the modern economy and is a > fundamental building block of everyday technologies like smartphones, cars, > the Internet of Things, and numerous pieces of critical infrastructure. > Understanding which components are most widely used and most vulnerable will > allow us to help ensure the continued health of the ecosystem and the digital > economy." > > This isn't just a good idea moving forward. It's essential for not just our > coding and our productivity, but for our safety as well. -- Kim Holburn IT Network & Security Consultant T: +61 2 61402408 M: +61 404072753 mailto:[email protected] aim://kimholburn skype://kholburn - PGP Public Key on request _______________________________________________ Link mailing list [email protected] http://mailman.anu.edu.au/mailman/listinfo/link
