Developers
June 11, 2020

Insecure, Open-Source Software Poses Risk to 90% of Companies

Open-source software is a vital component for companies worldwide, yet poor practices open them up to security risks.
Source: Pixabay

Gone are the days when the debate between closed and open-source software raged on. Now, virtually every major company in the world relies on open-source software to some degree or another, with some companies’ entire operations dependent on it.

Benefits of Open-Source Software

There are a number of reasons why open-source has become so popular and had such a transformative impact on industries.

Cost

One of the most obvious benefits of open-source is cost. Because the code is freely available, the upfront cost is negligible. This can be a major factor for small companies and startups that don’t have the budget to invest millions in commercial software.

Even larger companies often see significant cost savings by migrating to open-source software. With tens of thousands of workstations, using even one open-source application or package can make a big difference.

Customization

Another big advantage of open-source software is the ability to customize it according to a company’s exact needs. As industries change and evolve, it can sometimes be a challenge for companies to find commercial software that keeps up with those needs. Alternately, sometimes a software provider will make a change that is good for the majority of their customers, but leaves a small portion behind.

Open-source software can be a lifesaver in these situations. With full access to the underlying source code, a company is no longer dependent on a single vendor for the software they need to run their business. Instead, they can take an open-source package, customize it, tweak it and add to it until it perfectly does what they need.

Longevity

Closely related is the benefit of longevity. As stated above, sometimes a software vendor makes a design choice that leaves some of its customers orphaned. Even worse, sometimes a company goes out of business, leaving its customers to find another solution altogether.

Open-source software, on the other hand, gives a company options that go beyond reliance on a single vendor.

Security

Another major advantage is security. Because anyone can look at the underlying code in open-source software, bugs and security vulnerabilities are often discovered and patched much faster than with closed-source software.

For this to work, however, there needs to be best practices in place. Unfortunately, technology firm Synopsys found the vast majority of companies are leaving themselves vulnerable in exactly one of the areas where open-source software should be providing them a significant advantage.

The Synopsys Report

In their 2020 Open Source Security and Risk Analysis (OSSRA) report, Synopsys Cybersecurity Research Center (CyRC) studied “over 1,250 commercial codebases in 17 industries, including Enterprise Software/SaaS; Healthcare, Health Tech, Life Sciences; Financial Services & FinTech; and Internet & Software Infrastructure.”

Of the 1,250 codebases, some 99% contained open-source components. This is a remarkable penetration rate, and shows just how popular open-source software is across a wide range of industries.

Unfortunately, however, some 91% of the codebases contained elements that were at least four years out-of-date, or had no active development within the last two years.

Worse yet, 75% of the codebases contained at least one known vulnerability, with 49% of the codebases containing high-risk vulnerabilities.

Unfortunately for the involved companies, running unpatched open-source software can pose an even greater risk than closed-source software. At least with closed-source, hackers may not know of a vulnerability that exists, thereby reducing the likelihood of it being exploited, essentially providing “security through obscurity.”

In the case of open-source, however, the very thing that should be an advantage becomes a disadvantage. Because it’s open-source, anyone and everyone can look at the code, know what the vulnerability is and the best way to exploit it. As a result, leaving a known vulnerability unpatched in open-source software is a recipe for disaster.

The Solution

As a result of their report, Synopsys makes the following observation:

“As the data demonstrates, modern applications consistently contain a wealth of open source components with possible security, licensing, and code quality issues. How you manage your open source usage matters greatly. The more diligent your attention to the differences between commercial software and open source, the better the outcomes.”

Synopsys goes on to recommend common-sense steps that every company should take. These include taking an inventory of the open-source software in use, monitoring vulnerability disclosures, creating policies to manage open-source components, performing open-source due diligence audits and maintaining good relations with the open-source communities for the packages being used.

The Takeaway

Open-source software is a valuable component for many companies’ operations and offers a number of advantages that can’t be matched with off-the-shelf solutions.

At the same time, companies and their developers must take responsibility for auditing, maintaining and securing their open-source components. Otherwise, they leave themselves open to a plethora of potential problems.

TagsOpen-SourceSecurity RisksCyber Security
Matt Milano
Technical Writer
Matt is a tech journalist and writer with a background in web and software development.

Related Articles

Back
DevelopersJune 11, 2020
Insecure, Open-Source Software Poses Risk to 90% of Companies
Open-source software is a vital component for companies worldwide, yet poor practices open them up to security risks.

Gone are the days when the debate between closed and open-source software raged on. Now, virtually every major company in the world relies on open-source software to some degree or another, with some companies’ entire operations dependent on it.

Benefits of Open-Source Software

There are a number of reasons why open-source has become so popular and had such a transformative impact on industries.

Cost

One of the most obvious benefits of open-source is cost. Because the code is freely available, the upfront cost is negligible. This can be a major factor for small companies and startups that don’t have the budget to invest millions in commercial software.

Even larger companies often see significant cost savings by migrating to open-source software. With tens of thousands of workstations, using even one open-source application or package can make a big difference.

Customization

Another big advantage of open-source software is the ability to customize it according to a company’s exact needs. As industries change and evolve, it can sometimes be a challenge for companies to find commercial software that keeps up with those needs. Alternately, sometimes a software provider will make a change that is good for the majority of their customers, but leaves a small portion behind.

Open-source software can be a lifesaver in these situations. With full access to the underlying source code, a company is no longer dependent on a single vendor for the software they need to run their business. Instead, they can take an open-source package, customize it, tweak it and add to it until it perfectly does what they need.

Longevity

Closely related is the benefit of longevity. As stated above, sometimes a software vendor makes a design choice that leaves some of its customers orphaned. Even worse, sometimes a company goes out of business, leaving its customers to find another solution altogether.

Open-source software, on the other hand, gives a company options that go beyond reliance on a single vendor.

Security

Another major advantage is security. Because anyone can look at the underlying code in open-source software, bugs and security vulnerabilities are often discovered and patched much faster than with closed-source software.

For this to work, however, there needs to be best practices in place. Unfortunately, technology firm Synopsys found the vast majority of companies are leaving themselves vulnerable in exactly one of the areas where open-source software should be providing them a significant advantage.

The Synopsys Report

In their 2020 Open Source Security and Risk Analysis (OSSRA) report, Synopsys Cybersecurity Research Center (CyRC) studied “over 1,250 commercial codebases in 17 industries, including Enterprise Software/SaaS; Healthcare, Health Tech, Life Sciences; Financial Services & FinTech; and Internet & Software Infrastructure.”

Of the 1,250 codebases, some 99% contained open-source components. This is a remarkable penetration rate, and shows just how popular open-source software is across a wide range of industries.

Unfortunately, however, some 91% of the codebases contained elements that were at least four years out-of-date, or had no active development within the last two years.

Worse yet, 75% of the codebases contained at least one known vulnerability, with 49% of the codebases containing high-risk vulnerabilities.

Unfortunately for the involved companies, running unpatched open-source software can pose an even greater risk than closed-source software. At least with closed-source, hackers may not know of a vulnerability that exists, thereby reducing the likelihood of it being exploited, essentially providing “security through obscurity.”

In the case of open-source, however, the very thing that should be an advantage becomes a disadvantage. Because it’s open-source, anyone and everyone can look at the code, know what the vulnerability is and the best way to exploit it. As a result, leaving a known vulnerability unpatched in open-source software is a recipe for disaster.

The Solution

As a result of their report, Synopsys makes the following observation:

“As the data demonstrates, modern applications consistently contain a wealth of open source components with possible security, licensing, and code quality issues. How you manage your open source usage matters greatly. The more diligent your attention to the differences between commercial software and open source, the better the outcomes.”

Synopsys goes on to recommend common-sense steps that every company should take. These include taking an inventory of the open-source software in use, monitoring vulnerability disclosures, creating policies to manage open-source components, performing open-source due diligence audits and maintaining good relations with the open-source communities for the packages being used.

The Takeaway

Open-source software is a valuable component for many companies’ operations and offers a number of advantages that can’t be matched with off-the-shelf solutions.

At the same time, companies and their developers must take responsibility for auditing, maintaining and securing their open-source components. Otherwise, they leave themselves open to a plethora of potential problems.

Open-Source
Security Risks
Cyber Security
About the author
Matt Milano -Technical Writer
Matt is a tech journalist and writer with a background in web and software development.

Related Articles