Stale Open Source Code Rampant in Commercial Software: Report – TechNewsWorld

Organizations, regardless of industry, must do a better job maintaining open source components given their critical nature in software, according to this year’s risk analysis report by cybersecurity firm Synopsys.
Open source software is now the foundation for the vast majority of applications across all industries. But many of those industries are struggling to manage open source risk.
Synopsys released the 2021 Open Source Security and Risk Analysis (OSSRA) report on April 13. The report examines open source audit results, including usage trends and best practices across commercial applications.
Researchers analyzed more than 1,500 commercial codebases and found that open source security, license compliance, and maintenance issues are pervasive in every industry sector. The report highlights trends in open source usage within commercial applications and provides insights to help commercial and open source developers better understand the interconnected software ecosystem.
Consider that all the companies audited in the marketing tech industry sector had open source in their codebases. These include major software platforms used for lead generation, CRM, and social media. Ninety-five percent of those codebases contained open source vulnerabilities.
“That more than 90 percent of the codebases were using open source with no development activity in the past two years is not surprising,” said Tim Mackey, principal security strategist with the Synopsys Cybersecurity Research Center.
The Synopsys report details the pervasive risks posed by unmanaged open source code. These risks range from security vulnerabilities, to outdated or abandoned components, to license compliance issues.
“Unlike commercial software, where vendors can push information to their users, open source relies on community engagement to thrive. When an open source component is adopted into a commercial offering without that engagement, project vitality can easily wane,” Mackey explained.
Orphaned projects are not a new problem. When they occur, addressing security issues becomes that much more difficult. The solution is a simple one — invest in supporting those projects you depend upon for your success, he added.

Open source risk trends identified in the 2021 OSSRA report reveal that outdated open source components in commercial software is the norm. A hefty 85 percent of the codebases contained open source dependencies that were more than four years out-of-date.
One of the most significant takeaways from this year’s report was the predominant growth of orphaned open source code, according to Fred Bals, senior researcher, Synopsys Cybersecurity Research Center.
“An alarming 91percent of the codebases we audited contained open source that had no development activity in the last two years — meaning no code improvements and no security fixes,” he told LinuxInsider. Orphaned open source is a significant and growing problem.”
Unlike abandoned projects, outdated open source components have active developer communities that publish updates and security patches that are not being applied by their downstream commercial consumers, according to Mackey.
Beyond the obvious security implications of neglecting to apply patches, the use of outdated open source components can contribute to unwieldy technical debt. That debt comes in the form of functionality and compatibility issues associated with future updates.
The prevalence of open source vulnerabilities is trending in the wrong direction, according to researchers. In 2020, the percentage of codebases containing vulnerable open source components rose to 84 percent, a nine percent increase from 2019.
Similarly, the percentage of codebases containing high-risk vulnerabilities jumped from 49 percent to 60 percent. Several of the top 10 open source vulnerabilities found in codebases in 2019 reappeared in the 2020 audits with significant percentage increases.
Over 90 percent of the audited codebases contained open source components with license conflicts, customized licenses, or no license at all. Another factor is that 65 percent of the codebases audited in 2020 contained open source software license conflicts, typically involving the GNU General Public License, according to the report.
Synopsys 2021 Open Source Security & Risk Analysis Report
At least 26 percent of the codebases were using open source with no license or a customized license. All three issues often need to be evaluated for potential intellectual property infringement and other legal concerns, especially in the context of merger and acquisition transactions, researchers noted.
All of the companies audited in the marketing tech category — which includes lead-generation, CRM, and social media — contained open source in their codebases. Almost all of them (95 percent) had open source vulnerabilities.
Researchers found comparable figures in the audited databases of retail, financial services, and healthcare sectors, according to Bals.
In the healthcare sector, 98 percent of the codebases contained open source. Within those codebases 67 percent contained vulnerabilities.
In the financial services/fintech sector 97 percent of the codebases contained open source. Over 60 percent of those codebases contained vulnerabilities.
In the retail and e-commerce sector, 92 percent of codebases contained open source, and 71 percent of the codebases contained vulnerabilities.
In 2020 the percentage of codebases containing high-risk vulnerabilities jumped from 49 to 60 percent. What was more disturbing is that several of the top 10 open source vulnerabilities found in 2019 codebases reappeared in the 2020 audits, all with significant percentage increases, observed Bals.
“When you look at the industry breakdowns, there is an indication that the increase in vulnerabilities may be at least partly due to the pandemic and the significant increase in the use of marketing, retail, and customer relationship technologies,” he explained.
Open source is by-and-large safe, Bals insisted. It is the unmanaged use of open source that creates the issue.

“Developers and the businesses behind them need to treat the open source they use in the same way as the code they write themselves. That means creating and maintaining a comprehensive inventory of the open source their software uses, getting accurate information on vulnerability severity and exploitability, and having a clear direction on how to patch the affected open source,” he said.
Not too long ago commercial vendors referred to open source as “snake oil” and even as a disease, noted Bals. Many commercial companies even banned their developers from using open source.
Happily, those days are over. You would be hard-pressed today to find an application that does not depend on open source, he countered.
“But open source management has not yet caught up with open source use. Many development teams are still using manual processes like spreadsheets to track open source. There is now much too much open source to track without automating the process,” he added.
Jack M. Germain has been an ECT News Network reporter since 2003. His main areas of focus are enterprise IT, Linux and open-source technologies. He is an esteemed reviewer of Linux distros and other open-source software. In addition, Jack extensively covers business technology and privacy issues, as well as developments in e-commerce and consumer electronics. Email Jack.
Selling software is more important than improving software?
Please sign in to post or reply to a comment. New users create a free account.

Which review ratings influence your decision to purchase a product or service?
– select any that apply –

Loading ... Loading …

5 Stars – I want to discover what others find exceptional.
4 Stars – I want to know what’s liked and what are viewed as minor flaws.
3 Stars – I want to find out why it’s is neither loved nor hated.
2 Stars – I want to learn why the drawbacks outweigh the benefits.
1 Star – I want to hear from people who are completely dissatisfied.×156.jpg
Low-Code Platforms Help Ease the Shadow IT Adversity Pain
SaaS Boom Puts Software Sellers on Road to Recurring Revenue
‘Shadow Code’ Creates Risk for 99% of Websites×156.jpg
Amazon Puts High-Tech Spin on Play Dates With Kiddie Video-Calling Device
4 Industries on the Brink of Technological Disruption
The Coolest Stuff From CES 2022×156.jpg
Slipping Graphics Chip Prices Could Signal Coming End of Semiconductor Shortages
Intel Releases Arc, Now We Have a Three-Horse Race
Apple Refreshes iPhone SE, iPad Air, Debuts Studio Desktop×156.jpg
Data Breaches Affected Nearly 6 Billion Accounts in 2021
Remote Work Transformation Calls for Prioritizing Employee Tech Choices
CyberSec Researchers Reveal 2M Devices Vulnerable as Botnet Launchpad×156.jpg
PII of Many Fortune 1000 Execs Exposed at Data Broker Sites
Forrester Pegs B2B Fraud, Cyber Insurance Complacency as Top Threats in 2022
Atlas VPN Debuts MultiHop+ for Added Layer of Internet Privacy and Security×156.jpg
6 Critical Steps for Scaling Secure Universal Data Authorization
Nasuni Founder Andres Rodriguez: Object Storage Offers More Cloud Benefits, Lower Cost
Many Consumers Fail To Protect Privacy After Receiving Data Breach Notice×156.jpg
Appdome CEO on Mobile App Security: No Developer, No Code, No Problem
War in Ukraine Takes Toll on European Software Development Market
1Password Encourages Developer Security With New Tool Set×156.jpg
The 5 Coolest Things at Dell World Almost No One Saw
Meta vs. Varjo and Nvidia: The Bifurcation of the Metaverse
Crypto Firms Offered Insurance To Cover Cloud Crashes×156.jpg
Natural Language Speaks Loudly About a Big Shift in AI
Gamifying EdTech Launches Learning to Loftier Levels
Metaverse Marketing Offers New Approach To Utilizing Customer Data×156.jpg
Nvidia Showcases the Metaverse Future at GTC
Play-To-Earn Gaming Faces Hurdles To Rapid Growth
Snapdragon 8 Suggests the End of PCs and Smartphones as We Know Them×156.jpg
US Braces for Cyberwarfare Amid Fears of Russian Assault
Beware the Ides of March Madness
BreachQuest Dissects, Publishes Pro-Russia Ransomware Group’s Internal Chat Logs×156.jpg
InnoView 15.8″ Portable Display: More Screen Space for Small Devices
HP Chromebase Makes Chrome OS Desktops a Smart Choice
F-Secure Discovers HP Printers Loaded With Security Holes×156.jpg
Hack Your Metabolism To Improve Health With the Lumen Smart Device
Amazon Rolls Out Alexa for Senior Living and Healthcare Providers
Cove High-Tech Neckband Aims To Ease Stress, Improve Sleep×156.jpg
Home Automation Faces 3 Perpetual Problems
How the War in Ukraine Is Changing the Technology Landscape
CES 2022 Predictions×156.jpg
Computers Use Processes, So Should You
NICE Platform Answers Call for Hyper-Personal CX Tools
Key Factors When Selecting and Setting Up an E-Commerce Platform×156.jpg
Foundries and Arduino Team To Patch IoT Devices
Remote Work Heightens Privacy and Security Anxiety Among Employees
Amazon Super Smart Fridge Is Reportedly in the Works×156.jpg
Ukrainian IT Firm Counterattacks Russian War Lies
US Tech Market Leadership at a Crossroads
Cloudflare, CloudStrike, Ping Identity Offer Free Services To Protect US Critical Infrastructure×156.jpg
CyberSec Firms Give Advice, Services To Quell Fallout From Malware Aimed at Ukraine
Russia-Linked Cyclops Blink Malware Identified as Potential Cyberwarfare Weapon
Ransomware-Related Data Leaks Jump 82% in 2021×156.jpg
What’s in Store for Next-Gen Digital Wallets
Apple Privacy Rule Cost Tech Titans Estimated $9.85 Billion in Revenue
TikTok Tops YouTube in Watch Time Among Android Users×156.jpg
New Breeze Theme Gives KDE Neon Release Lots of Sparkle
Why Microsoft Again Became the World’s Most Valuable Company
From Windows 95 to Windows 11: A Matter of Perspective×156.jpg
Apple Unveils New Muscular MacBooks, Refreshes AirPods, Adds $5 Music Service
AI App Puts New Life in Old Photos
Qualcomm’s Powerful Preview of 2021’s Premium Smartphones×156.jpg
US-Led Seizure of RaidForums May Defy Lasting Effect on Security
Crypto 101: Data Privacy and Security on Cryptocurrency Platforms
Russian Warpath Prompts Free VPN Offer×156.jpg
Rebuilding Ukraine: 3D Printing and the Metaverse Could Help Create the Cities of Tomorrow
Desklab Portable Monitor: Ideal for Work, Play, Mobile Productivity
Why Commercial Space Travel Is Unlikely To Scale Up×156.jpg
Report Finds US Workers Lagging in Digital Skills
Nvidia Launches Earth 2 and Goes to War Against Climate Change
The Challenge and Promise of Quantum Computing×156.jpg
Microsoft Bing, Yandex Create New Search Protocol
Botify SEO Platform Helps Brands Navigate Organic Search Rankings
Google Cloud Seeks To Cure Retailers’ Search Woes, Help Compete With Amazon×156.jpg
Cyber Asset Management Overwhelming IT Security Teams
30 Years of Linux History Told via Distros
The Unforeseen Consequences of Amazon’s Boardroom Switch×156.jpg
Tesla Smartphone Could Be a Game Changer
Google vs. Apple Smartphones: Similar Capabilities, Polar Opposites in Strategic Execution
Microsoft Finally Has Truly Competitive Alternatives to Apple Products×156.jpg
Big Tech Firms Move To Squash Deceptive Info on Ukraine Crisis
Facebook Pushes Pause on Instagram for Kids
Reputation Management: Duking It Out With Doxing×156.jpg
Kuo Predicts ‘iPhone 13’ Will Support Satellite Calls and Texting
30 Years Later, the Trajectory of Linux Is Star Bound
Amazon Clears FCC Hurdle to Satellite Network×156.jpg
Marketers: Beware Florida’s Mini-TCPA
A Step Into Meta’s VR Meeting World, Horizon Workrooms
Looking for Love Online? Advice To Protect Your Wallet×156.jpg
New iPad Mini Stars at Apple Refresh Event
Chromebook Shipments Jump 75% YoY in Q2
Working From Wherever×156.jpg
The Fascinating Dance Between Twitter and Musk
Why Pat Gelsinger May Need To Take Intel Private
Reality Check on the Virtual Universe: Metaverse or Metamess?×156.jpg
New EU Law Will Force Google, Meta, Others To Expose Algorithms
Pandemic, Compliance Driving Increased Privacy Spending
Report Argues Antitrust Bill Would Hurt Consumers, Stymie Innovation×156.jpg
Wing Picks DFW for First Commercial Drone Deliveries in Major US Metro Area
Advanced Sensor System May Open Door to Zero Death Driving
Nvidia, Jaguar, Land Rover Partner To Build the Car of Tomorrow×156.jpg
Apple MR Specs Will Shun Metaverse: Report
Apple Wearables Holiday Sales Knock It Out of the Park
When the Metaverse Comes to Life×156.jpg
5 Terrific Tech Gift Ideas for Your Holiday Shopping List
How Qualcomm Can Seize the Smartwatch Market From Apple
BlackBerry IVY and the Future of Electric Vehicles×184.jpg
Cybercriminals Employing Specialists To Maximize Ill-Gotten Gains
Encouraging Research Finds Brain Adjusts to ‘Third Thumb’
E-Commerce Tending to Health and Wellness Needs
Copyright 1998-2022 ECT News Network, Inc. All Rights Reserved.
Enter your Username and Password to sign in.


Note that any programming tips and code writing requires some knowledge of computer programming. Please, be careful if you do not know what you are doing…

Leave a Reply

Next Post

Concerns rise over crypto regulation as Congress members disclose holdings - Fortune

Tue May 24 , 2022
%d bloggers like this: