The 7th annual Synopsys OSSRA report highlights trends in open source usage and provides insights to help companies better understand the interconnected software ecosystem that they are part of. Open Source Security & Risk Analysis (OSSRA) also details the pervasive risks posed by unmanaged open source, including security vulnerabilities, outdated or abandoned components, and license compliance issues.
The 2022 OSSRA report’s findings underscore the fact that open source is used everywhere, in every industry, and is the foundation of every application built today. Here we examine some important open source trends uncovered in the 2022 OSSRA report.
All industries studied contained a high percentage of open source
Four of the 17 industry sectors represented in the 2022 OSSRA report — Computer Hardware and Semiconductors, Cybersecurity, Energy and Clean Tech, and Internet of Things — contained open source in 100% of their audited codebases. The remaining verticals had open source in 93% to 99% of their codebases.
Open source really is everywhere. A January 2022 White House briefing statement described software as “ubiquitous across every sector of our economy and foundational to the products and services Americans use every day. Most major software packages include open source software… [which] brings unique value but has unique challenges.”
Patch management is still a challenge
Of the audited codebases, 2,097 included security and operational risk assessments, with 81% of those codebases containing at least one vulnerability, a minimal decrease of 3% from the findings of the 2021 OSSRA. There was a more dramatic decrease in the number of codebases containing at least one high-risk open source vulnerability. Forty-nine percent of the audited codebases contained at least one high-risk vulnerability, down 11% from last year.
From an operational risk/maintenance perspective, 85% of the 2,097 codebases contained open source that was more than four years out of date. Eighty-eight percent utilized components that were not the latest available version.
Even more troubling was that of the 2,097 codebases we examined that included risk assessments, 88% contained outdated versions of open source components. That is, an update or patch was available but not applied.
There are justifiable reasons for not keeping software up to date, but it’s likely that a large percentage of the 88% is due to DevSecOps teams not being aware that a newer version of an open source component is available. Unless an organization keeps an accurate and up-to-date inventory of the open source used in their code, the component can be forgotten until it becomes vulnerable to a high-risk exploit, and then the scramble to identify where it’s being used and to update it is on.
That’s precisely what occurred with Log4j, but somewhat lost in the uproar around the Log4j vuln(s) was the fact that the panic was often a result of organizations not knowing where Log4j was located within specific systems and applications, or in fact, if it was there at all. The problem was then multiplied across thousands of IT groups, which scrambled to answer questions like, “Are we vulnerable to Log4Shell? Is our vendors’ software vulnerable? Are the customers using our software vulnerable?”
Steps toward smarter open source management
In the world of 2022, where 97% of commercial code contains open source, a software Bill of Materials (SBOM) of the open source components used in an application needs to be considered mandatory for any effective DevSecOps or AppSec effort.
Click here to read the full OSSRA report and learn what you can do to protect your company against open source risk.