Open Source Security and Risk Analysis Report

Each year, the Synopsys Cybersecurity Research Center (CyRC) produces an Open Source Security and Risk Analysis Report that provides a snapshot of the current state of open source security and insights into compliance, licensing, models of open source code use, and the risks that have been introduced when incorporating open source code into commercial software.

Open source code is ubiquitous in today’s software ecosystem. In 2020, more than 98% of all audited commercial codebases were found to contain at least one open source component, clearly demonstrating open source libraries are the foundation for virtually every application in every industry. The percentage of open source components in codebases ranged from 48% in retail and e-Commerce to 89% in Internet of Things devices. Across all represented industry sectors, 75.7% of codebases consisted of open source code.

For this year’s Open Source Security and Risk Analysis Report, Synopsys studied the results of 1,546 commercial codebase audits that were conducted using its Black Duck software composition analysis (SCA) solutions. Those solutions are used by businesses to identify and track open source code in their applications and automate the enforcement of open source policies. Synopsys cross-referenced the audit results with known licensing issues and vulnerabilities to identify compliance and security risks.

Open source code is generally considered to be more secure than proprietary code, simply because more eyes are checking the code for vulnerabilities; however, as is the case with any code, vulnerabilities exist that can potentially be exploited. While vulnerabilities in open source code are generally identified and corrected quickly, companies that have incorporated open source code in their applications need to ensure the code is updated when vulnerabilities are fixed.

The Open Source Security and Risk Analysis Report shows many companies have incorporated open source code that contains vulnerabilities. 84% of the audited codebases were found to have at least one vulnerability, and an average of 158 vulnerabilities were found in each audited codebase. That represents a 9% increase in vulnerabilities since 2019 when the last Open Source Security and Risk Analysis Report was last published and is the second-highest increase since 2017. The report also revealed many companies are very slow to update their open source components. The average age of vulnerabilities in the codebases was 2.2. years.

Vulnerabilities that have a proof-of-concept exploits in the public domain, allow remote code execution, or have been exploited in real-world cyberattacks are considered high-risk. 60% of the identified vulnerabilities in the codebases were high-risk vulnerabilities. This was the second successive year where the number of high-risk vulnerabilities increased, and the annual increase was sizeable – jumping 11% from last year. The top 10 open source vulnerabilities that were discovered in the 2019 audits all reappeared in the 2020 audits and, in all cases, saw significant percentage increases. For instance, the lodash vulnerability – CVE-2019-10744 – is a critical flaw affecting all popular versions of the JavaScript library prior to 4.17.12. The vulnerability was found in 29% of codebase audits conducted in both 2019 and 2020.

This year’s Open Source Security and Risk Analysis Report included an analysis of 3,000 of the most popular Android applications available through the Google Play Store. More than 98% of the applications contained open source code and 63% were found to include vulnerable open source libraries, with 44% of those vulnerabilities classed as high-risk.

One of the issues raised in the Open Source Security and Risk Analysis Report is the sustainability of open source code. Out of all codebases analyzed in 2020, 91% contained open source dependencies that had seen no development activity for two years. Those dependencies are a significant security risk as no security updates have been performed for at least two years. When new versions of open source dependencies are released, companies are slow to update them. 85% of all codebases had out-of-date open source dependencies and, on average, the dependencies were four years out of date.

The study showed 65% of audited codebases in 2020 had licensing conflicts, and 26% of codebases were using open source code with no license or customized license. The lack of licensing and licensing conflicts are violations of copyright law and place companies at risk of litigation for unauthorized code use. Notably, litigation over unauthorized open source code use is rising worldwide.

Open source is at the heart of virtually all applications. The growth in the use of open source has been tremendous, but the increase in use has been accompanied by an increase in risk. It is essential for businesses that use open source code to maintain a comprehensive inventory of all open source dependencies they have used, keep abreast of vulnerabilities, ensure patches are promptly applied to address security risks, and for scans to be conducted to identify potential licensing issues.  That can be a time-consuming process, however, there are software composition analysis tools that can automate the process and lessen the load.