The prevalence of open source vulnerabilities is trending in the wrong direction, according to researchers. That debt comes in the form of functionality and compatibility issues associated with future updates. Unlike abandoned projects, outdated open source components have active developer communities that publish updates and security patches that are not being applied by their downstream commercial consumers, according to Mackey.īeyond the obvious security implications of neglecting to apply patches, the use of outdated open source components can contribute to unwieldy technical debt. Orphaned open source is a significant and growing problem.” Differences Matter
Lavish software code code#
“An alarming 91percent of the codebases we audited contained open source that had no development activity in the last two years - meaning no code improvements and no security fixes,” he told LinuxInsider. One of the most significant takeaways from this year’s report was the predominant growth of orphaned open source code, according to Fred Bals, senior researcher, Synopsys Cybersecurity Research Center. A hefty 85 percent of the codebases contained open source dependencies that were more than four years out-of-date. Open source risk trends identified in the 2021 OSSRA report reveal that outdated open source components in commercial software is the norm. The solution is a simple one - invest in supporting those projects you depend upon for your success, he added. When they occur, addressing security issues becomes that much more difficult. When an open source component is adopted into a commercial offering without that engagement, project vitality can easily wane,” Mackey explained. “Unlike commercial software, where vendors can push information to their users, open source relies on community engagement to thrive.
Lavish software code license#
These risks range from security vulnerabilities, to outdated or abandoned components, to license compliance issues. The Synopsys report details the pervasive risks posed by unmanaged open source code. “That more than 90 percent of the codebases were using open source with no development activity in the past two years is not surprising,” said Tim Mackey, principal security strategist with the Synopsys Cybersecurity Research Center. Ninety-five percent of those codebases contained open source vulnerabilities. These include major software platforms used for lead generation, CRM, and social media. The report highlights trends in open source usage within commercial applications and provides insights to help commercial and open source developers better understand the interconnected software ecosystem.Ĭonsider that all the companies audited in the marketing tech industry sector had open source in their codebases. Researchers analyzed more than 1,500 commercial codebases and found that open source security, license compliance, and maintenance issues are pervasive in every industry sector. The report examines open source audit results, including usage trends and best practices across commercial applications. Synopsys released the 2021 Open Source Security and Risk Analysis (OSSRA) report on April 13. But many of those industries are struggling to manage open source risk.
Open source software is now the foundation for the vast majority of applications across all industries. Organizations, regardless of industry, must do a better job maintaining open source components given their critical nature in software, according to this year’s risk analysis report by cybersecurity firm Synopsys.