Open source code is ubiquitous both in commercial and internal software applications, but security management is not keeping up, a recent study has concluded.

Based on an analysis of data of more than 1,100 commercial codebases audited in 2017, the authors of the 2018 Open Source Security and Risk Analysis (OSSRA) report from Black Duck by Synopsys found that almost every codebase (96%) contained open source components. That is hardly any news (the ratio itself stayed put annually), but a closer look reveals a more intriguing picture.

The percentage of open source components in the codebases of audited applications increased from 36% to 57% between the 2017 and 2018 reports. “Many applications now contain more open source than proprietary code,” reads the report. Each codebase contained an average of 257 open source components – an increase of 75% from the report’s previous edition.

(In)security

Worryingly, vulnerabilities rose in lockstep and abounded, too, as 78% of the codebases contained at least one vulnerability, up from 67% in the previous report. The average number of security holes found per codebase was 64 – an increase of 134%. Most bugs (54%) were classified as high-risk.

Open source code

Credit: OSSRA, synopsys.com

What is more, 17% of the codebases included in the OSSRA report contained at least one well-known vulnerability such as  Heartbleed, POODLE, Logjam, FREAK, and DROWN – notwithstanding the great deal of attention that these flaws have received over the past few years. For example, Heartbleed, a bug that affects the open-source OpenSSL cryptography library, was found in 4% of the scanned codebases four years after the vulnerability took internet security by storm.

Remember the Equifax hack? The attack, which began in May 2017 and was disclosed four months later, was facilitated by a vulnerability in the popular open-source software package Apache Struts. The patch had, in fact, been made available two months before the hack. The OSSRA report has now found that one-third of the analyzed codebases that use Apache Struts in an application contain the same flaw.

Of nine industries included in the report, the highest proportions of codebases with high security risks were detected in the applications of internet and software infrastructure (67%), internet and mobile apps (60%), and virtual reality, gaming, entertainment and media (50%).

As noted by OSSRA, almost 5,000 open source vulnerabilities were discovered in 2017, bringing their total to nearly 40,000 since 2000. Their number is, in fact, part of a larger trend, as last year saw an all-time high for vulnerabilities in open source and proprietary code combined. The number of reported flaws soared from 6,400 in 2016 to more than 14,700 in 2017.