88% of Organizations are Still Behind in Keeping Open Source Updated

Charlotte Freeman, Software Security Advocate, Synopsys

The 7th^th annual synopsis OSRA report highlights trends in open source adoption and provides insights to help organizations better understand the connected software ecosystem to which they belong. Open Source Security & Risk Analysis (OSSRA) also describes the pervasive risks posed by unmanaged open source, including security vulnerabilities, obsolete or discontinued components, and license compliance issues.

The findings of the 2022 OSSRA report underscore the fact that open source is used everywhere, in every industry, and is the foundation of every application built today. Here we examine some key open source trends uncovered in the 2022 OSSRA report.

All of the industries surveyed contained a high proportion of open source

Four of the 17 industries represented in the 2022 OSSRA report – Computer Hardware and Semiconductors, Cybersecurity, Energy and Clean Technologies, and Internet of Things – contained open source in 100% of their audited codebases. The remaining industries had open source in 93% to 99% of their codebases.

open-source Yes, really is everywhere, everywhere, everywhere. A January 2022 White House briefing statement described software as “ubiquitous in all sectors of our economy and fundamental to the products and services Americans use every day. Most major software packages contain open source software… [which] brings unique value but has unique challenges.”

Patch management is still a challenge

Of the codebases reviewed, 2,097 contained security and operational risk assessments, with 81% of those codebases containing at least one vulnerability, representing a minimal 3% decrease from the OSSRA 2021 results. Even more dramatically, the number of codebases containing at least one high-risk open source vulnerability dropped. 49% of the codebases examined contained at least one high-risk vulnerability, down 11% from the previous year.

From an operational risk/maintenance perspective, 85% of the 2,097 codebases contained open source that was more than four years out of date. Eighty-eight percent used components that were not the latest version available.

Even more worrisome, of the 2,097 codebases we examined that contained risk assessments, 88% contained outdated versions of open source components. That is, an update or patch was available but not applied.

There are legitimate reasons for not keeping software up to date, but it’s likely that a large percentage of the 88% is due to it DevSecOps teams not knowing that a newer version of an open source component is available. If an organization doesn’t keep an accurate and up-to-date inventory of the open source used in their code, the component can be forgotten until it becomes vulnerable to a high-risk exploit, and then attempts are made to find out where and where the update is turned on.

That’s exactly what happened with Log4j, but somewhat lost in the uproar over the log4j Vulnerability(s) was the fact that the panic often stemmed from organizations not knowing where Log4j was in certain systems and applications, or if it was there at all. The problem was then multiplied across thousands of IT groups struggling to answer questions like, “Are we vulnerable to Log4Shell? Is our vendor’s software vulnerable? Are the customers using our software vulnerable?”

Steps to Smarter Open Source Management

In the world of 2022, where 97% of commercial code is open source, a Software BOM (SBOM) of the open-source components used in an application must be considered mandatory for any effective DevSecOps or AppSec effort.

Click here to read the full OSSRA report and what you can do to protect your business from open source risks.