Synopsys report finds open source risk management still needs a lot of work

Synopsys, an online software developer, has released a report finding while open source risk management is improving, there are still challenges for most organisations.

The 2019 Open Source Security and Risk Analysis (OSSRA) report was made up of over 1,200 audits of commercial applications and libraries. It found that most of the challenges around open source risk management are still prevalent; however, the market has hit a turning point and awareness and capabilities are improving.

Open source is a type of software in which a source code is released, and the copyrighter allows any users the ability to edit or adapt the software how they wish.

The OSSRA has found open source has become very popular with 96 per cent of codebases that were audited had open source components – there was an average of 298 open source components per codebase, compared with 257 in 2017.

Synopsys stated that an open source license conflict can raise issues for intellectual property risk, and the OSSRA reported that 68 per cent of codebases had a licence conflict, while 38 per cent did not even have an identifiable license.

Another finding from the report was that 85 per cent of codebases had components which were over four years out-of-date and had no developments in two years. This leaves potential vulnerabilities open and unmonitored.

One of the biggest online security worries came from the failing of many organisations in repairing or updating their open source components. There was an average age of vulnerabilities of 6.6 years and 43 per cent of codebases audited had vulnerabilities of over 10 years old.

Going even further, 40 per cent of codebases had at least one high-risk open source vulnerability.

Synopsys Cybersecurity Research Center principal security strategist Tim Mackey said, “Open source plays an increasingly vital role in modern software development and deployment, but to realize its value organizations need to understand and manage how it impacts their risk posture from a security and license compliance perspective,”

“The 2019 OSSRA report provides a glimpse into the state of open source risk management within commercial applications. It shows that there are still significant challenges, with the majority of applications containing open source security vulnerabilities and license conflicts. But it also highlights that these challenges can be addressed, as the number open source vulnerabilities and license conflicts have declined from the previous year.”

Enjoyed the story? 

Subscribe to our weekly RegTech newsletter and get the latest industry news & research

Copyright © 2018 RegTech Analyst

Investors

The following investor(s) were tagged in this article.