Open Source Insight: Global Response to COSRI 2017 Open Source Security and Risk Analysis
1 like440 views
The 2017 Open Source Security and Risk Analysis (OSSRA) report by Black Duck highlights significant risks in open source usage, revealing that 96% of applications analyzed contain open source, with over 60% exhibiting security vulnerabilities. The report emphasizes the need for organizations to manage open source risks effectively and offers insights into the necessary risk management strategies. It notes the prevalence of open source components in commercial software, while also reporting widespread weaknesses in addressing open source security vulnerabilities across various industries.
![Researchers Find Commercial Banking Apps
Contain Swarms of Open-source Bugs
"While many developers rely on open source
components, they may not be keeping ahead of the
game when bugs are discovered," writes ZDNet.
"When bugs are discovered, such as Heartbleed --
an exploitable vulnerability in a component of
OpenSSL -- vendors are responsible for patching
these issues, but the [Black Duck] report
suggested that many companies have a lack of
visibility into their own applications and just how
much they rely on open source components."](https://image.slidesharecdn.com/opensourceinsightapril21-170424172811/85/Open-Source-Insight-Global-Response-to-COSRI-2017-Open-Source-Security-and-Risk-Analysis-10-320.jpg)
![Black Duck Audit Highlights Risk of Open-source Security
Vulnerabilities
“The OSSRA revealed significant risks related to open-source
vulnerabilities and license-compliance challenges," writes SD
Times, “as well as high levels of risk in the retail and ecommerce
industry.”
“We don’t take the position that open source is any less secure
than commercial software, nor is it more secure, frankly, because
it’s software so it’s going to have bugs and vulnerabilities,” said
Mike Pittenger Black Duck vice president of security strategy.
“There are some characteristics about open source software that
make it attractive to an attacker, simply [because] it’s ubiquitous
and it’s a target-rich environment.”](https://image.slidesharecdn.com/opensourceinsightapril21-170424172811/85/Open-Source-Insight-Global-Response-to-COSRI-2017-Open-Source-Security-and-Risk-Analysis-12-320.jpg)
Open Source Insight: Global Response to COSRI 2017 Open Source Security and Risk Analysis
- 1. Open Source Insight: Global Response to COSRI 2017 Open Source Security and Risk Analysis By Fred Bals, Senior Content Writer & Editor
- 2. Many Black Duck-related news stories in this week’s edition of Open Source Insight, thanks to the release of our 2017 Open Source Security and Risk Analysis detailing significant cross- industry risks related to open source vulnerabilities and license compliance challenges. This Week’s Key Takeaways
- 3. This Week’s Key Takeaways Black Duck conducts hundreds of open source code audits annually, primarily related to merger and acquisition transactions. Our Center for Open Source Research & Innovation (COSRI) analyzed over 1,000 applications and found both high levels of open source usage — 96% of the apps examined contained open source — and significant risk to open source security vulnerabilities — more than 60% of the apps contained open source security vulnerabilities
- 4. Other open source security and cybersecurity stories include: • Open Source Software: Risk Management Designed to Combat the Vulnerabilities • Why You Must Build Cybersecurity into Your Applications • Open Source Management Gaps Remain a Problem • Report: Commercial Software Riddled With Open Source Code Flaws More Open Source News
- 5. Open Source Software: Risk Management Designed to Combat the Vulnerabilities In the April 2017 edition of Risk UK magazine, Black Duck COSRI research director, Chris Fearon, explains why open source risk management is a must for business. “… even if they know that open source is a key part of their firm’s success, some executives – even those in the IT department – might be surprised to find how much their business’s solutions depend on open source and how much open source they use to deliver within a continuous integration environment and on a continuous release schedule.”
- 6. “In a series on how companies can create the right security portfolio for their needs,” writes Forbes contributor Dan Woods, “I’ve put forward a five-step approach: 1) Determine Needs, 2) Allocate Spending According to Risk, 3) Design Your Portfolio, 4) Choose the Right Products, and 5) Rebalance as Needed. Those five steps need to address the five core tenets of cybersecurity as identified by the National Institute for Standards and Technology (NIST) framework, which are identification, prevention, detection, response, and recovery. However, how companies allocate their investments in each of these buckets can and should be customized to their individual assets and operations." Why You Must Build Cybersecurity into Your Applications
- 7. New Audit Report Shows Open Source Management Gaps Remain a Problem “Black Duck is a company that thrives off data,” blogs Senior Product Marketing Manager, Evan Klein. “So when we have a chance to take a step back and really analyze the state of open source use and open source management at organizations worldwide, we feel it important to provide those data-driven insights to our customers, and to the industry as a whole That's why we've released the 2017 Open Source Security and Risk Analysis (OSSRA).”
- 8. “The OSSRA takes a look at Black Duck On- Demand Audits of over 1000 commercial applications to explore the state of open source, understand the progress organizations have made toward managing open source risk, and offer recommendations to help those organizations manage security threats and license risks.” New Audit Report Shows Open Source Management Gaps Remain a Problem
- 9. Report: Commercial Software Riddled With Open Source Code Flaws There are widespread weaknesses in addressing open source security vulnerability risks across key industries, the audits show. "From the security side, 96 percent of the applications are using open source," noted Mike Pittenger, vice president for security strategy at Black Duck Software. "The other big change we see is more open source is bundled into commercial software," he told LinuxInsider.
- 10. Researchers Find Commercial Banking Apps Contain Swarms of Open-source Bugs "While many developers rely on open source components, they may not be keeping ahead of the game when bugs are discovered," writes ZDNet. "When bugs are discovered, such as Heartbleed -- an exploitable vulnerability in a component of OpenSSL -- vendors are responsible for patching these issues, but the [Black Duck] report suggested that many companies have a lack of visibility into their own applications and just how much they rely on open source components."
- 11. "A software audit conducted for the Black Duck 2017 Open Source Security and Risk Analysis (OSSRA) has found that financial applications had an average of 52 open source vulnerabilities," writes Computer Weekly managing editor, Chris Saran. Chris Fearon, director at Black Duck’s Open Source Security Research Group, COSRI’s security research arm, said: “The results of the COSRI analysis clearly demonstrate that organisations in every industry have a long way to go before they are effective at managing their open source.” Black Duck said every version of Linux, PHP, Ruby on Rails and MS.Net contained high-risk vulnerabilities. Majority of Open Source Has Security Flaws
- 12. Black Duck Audit Highlights Risk of Open-source Security Vulnerabilities “The OSSRA revealed significant risks related to open-source vulnerabilities and license-compliance challenges," writes SD Times, “as well as high levels of risk in the retail and ecommerce industry.” “We don’t take the position that open source is any less secure than commercial software, nor is it more secure, frankly, because it’s software so it’s going to have bugs and vulnerabilities,” said Mike Pittenger Black Duck vice president of security strategy. “There are some characteristics about open source software that make it attractive to an attacker, simply [because] it’s ubiquitous and it’s a target-rich environment.”
- 13. "Most commercial applications use open source components to save developers from the time and expense of reinventing the wheel," writes WebWork Magazin. "However, this can be a problem, according to the risk analysis conducted by the specialist for open source audits Black Duck Software because of the partial use of obsolete and vulnerable open-source components." Risko durch Open Source Komponenten (Risk through Open Source Components)
- 14. Open Source ist allgegenwärtig – und gefährlich (Open Source is ubiquitous - and dangerous) Black Duck editorial comment: Neither Black Duck nor our OSSRA report maintain that open source is “gefährlich,” as the article’s title implies. Rather, we consider the lack of businesses’ insight into the open source they use and sloth in addressing vulnerability and licensing risks as dangerous. We also recommend the 200+ readers’ comments appended to the article, which clearly show the passion of the global community for open source software, a passion which Black Duck shares.
- 15. via Heise Online: “Little comes without open source components. This is a core result of Open Source Security and Risk Analysis (OSSRA) 2017, for which specialist in open source audits Black Duck Software has examined over 1000 commercial applications. On average, a good third of the code came from open source projects; JQuery, Bootstrap, JUnit, Apache Log4j and software from the Apache-Commons project were used most frequently.” Open Source ist allgegenwärtig – und gefährlich (Open Source is ubiquitous - and dangerous)
- 16. Open Source in mehr als 90 Prozent aller Anwendungen (Open Source in more than 90 percent of all applications) via Silicon.de: "Whether open source is suitable for enterprise applications is no longer in question. More than 96 percent of applications include open-source components, based on the results of a software audit by Black Duck Software for which more than 1000 applications were tested. At the same time, more than 60 percent of the applications audited had known open source vulnerabilities."
- 17. Subscribe Stay up to date on open source security and cybersecurity – subscribe to our blog today.