Almost all software contains open source code and the vast majority of codebases contain at least one know open source vulnerability. In addition codebases are made of of multiple components, many of which are outdated. Licence issues are also prevalent.

These findings come from the Cybersecurity Research Centre at  application security company, Synopsys in the 8th edition of its "Open Source Security and Risk Analysis” (OSSRA) report. 

The report examines the results of more than 1,700 audits of commercial codebases performed by the Black Duck® Audit Services team, primarily for merger and acquisition transactions.

The first finding is that 96% of scanned codebases contained open source and that 76% of code in codebases was open source. Commenting on the way in which open source serves as the foundation for the vast majority of commercial codebases the report says:

In fact, it’s so intertwined in modern development that code owners often don’t know the open source components in their own software. 

The codebases scanned came from 17 industry sector and there was some variation in the inclusion of open source by industry with Aerospace, aviation, automotive, transportation, logistics; EdTech; and Internet of Things being the three that had open source in 100% of their audited codebases. In the remaining sectors, over 92% of the codebases contained open source.

The report charts the presence of security vulnerabilities over the past 4 years, revealing that in 2022 84% of codebases contained at least one vulnerability and 48% of codebases contained high-risk vulnerabilities:

Further to this it states:

Another worrying finding is that 15% of codebases used more than 10 versions of a component.

Expanding on this problem the report states>

The average number of open source components in a given application this year was 595. When monitoring for security vulnerabilities and performing security maintenance activities, what might be practical for a small number of components becomes overwhelming and virtually impossible at this scale. 

The other problem explored in the report was the use of unlicensed code, or situations in which there were conflicts between licences.

So what is the solution to what seems to be a much bigger problem that we might have imagined. Accord to the report, it is to manage code usage with an SBOM, a Software Bill of Materials.

To quote from the report:

In the fight against software supply chain attacks, an SBOM should be your weapon of choice. The concept of an SBOM derives from manufacturing, where the classic Bill of Materials is an inventory detailing all the items included in a product. When a defective part is discovered, the manufacturer knows which of its products is affected and can begin the process of repair or replacement. Similarly, maintaining an accurate,up-to-date SBOM that inventories open source components is necessary
to ensure that code remains high quality, compliant, and secure. As in manufacturing, an SBOM of open source components allows you to pinpoint at-risk components quickly and prioritize remediation appropriately. A comprehensive SBOM lists all open source components in your applications as well as those components’ licenses, versions, and patch status—the perfect defense against supply chain attacks.

Comments

Make a Comment or View Existing Comments Using Disqus

or email your comment to: comments@i-programmer.info