The number of open source components in the codebase of proprietary applications keeps rising and with it the risk of those apps being compromised by attackers leveraging vulnerabilities in them, a recent report has shown.

Compiled after examining the findings from the anonymized data of over 1,100 commercial codebases audited in 2017 by the Black Duck On-Demand audit services group, the report revealed that:

96 percent of the scanned applications contain open source components, with an average 257 components per application, and that

The average percentage of open source in the codebases of the applications scanned grew from 36% last year to 57%, suggesting that a large number of applications now contain much more open source than proprietary code.

“Today, open source use is pervasive across every industry and is used by organizations of all sizes. The reasons are straightforward—open source lowers development costs, speeds time to market, and accelerates innovation and developer productivity,” analysts with the Synopsys Center for Open Source Research & Innovation (COSRI) have noted.

“Some open source components are so important to developers that those components are found in a significant share of applications. This year, Bootstrap, an open source toolkit for developing with HTML, CSS, and JavaScript, was present in 40% of all applications scanned, followed closely by jQuery, with 36% of applications including that open source component.”

Vulnerabilities and exploits for them are regularly disclosed through a variety of online sources, such as the National Vulnerability Database, mailing lists, and project home pages. With over 80 percent of all cyber attacks happen at the application level, fixing known vulnerabilities in both commercial and internal applications should be of extreme importance to enterprises and other organizations.

The analysts found that 78% of the codebases examined contained at least one vulnerability, with an average 64 vulnerabilities per codebase.

Open source and the IoT

It’s interesting to note that IoT applications contain a lot of open source components.

“Of the IoT applications scanned, on average 77% of the codebase was comprised of open source components, with an average 677 vulnerabilities per application,” the analysts pointed out.

“The numbers make it strikingly clear that any organization planning to use IoT technology needs to examine the software ecosystem it uses to deliver a device’s features, and account for open source identification and management in its overall security program. Besides examining custom source code for vulnerabilities, companies need to ensure that open source code being used in the Internet of Things does not introduce hidden security vulnerabilities.”

Open source and security

Open source is neither more nor less secure than custom code, the analysts noted, but there are certain characteristics of open source that make vulnerabilities in popular components very attractive to attackers.

The main one is that, unlike commercial software, where updates are automatically pushed to users, open source has a pull support model, meaning that users are responsible for keeping track of vulnerabilities, fixes, and updates for the open source they use.

“Open source can enter codebases through a variety of ways, not only through third-party vendors and external development teams but also through in-house developers. If an organization is not aware of all the open source it has in use, it can’t defend against common attacks targeting known vulnerabilities in those components, and it exposes itself to license compliance risk,” the analysts added.

Over 54% of the vulnerabilities the auditors found in the codebases are considered high-risk vulnerabilities, i.e. they are easily exploited. Also, 17% of the codebases contained a highly publicized, “named” vulnerability such as Heartbleed, Logjam, Freak, Drown, and Poodle.

4 percent of the audited codebases still contained Heartbleed, 4 years after its disclosure. 8 percent of them contained Apache Struts, and of those, 33% still contained the Struts vulnerability that resulted in the Equifax breach.

“The debate over whether open source should be used is moot. Today, most application code demonstrably is open source,” the analysts noted, and added that, as the codebase landscape changes, an organization’s application security program needs to evolve to continue to be effective.