Open Source Security Report Highlights Licensing and Updating Issues

The number of open source components in an application grew by almost 19 percent over the past year, writes Tim Mackey in a recent article at The New Stack.

In the article, Mackey, Principal Security Strategist with the Synopsys Cybersecurity Research Center, provides an overview of the recent Open Source Security and Risk Analysis (OSSRA) report, produced by the Synopsys Cybersecurity Research Center. 

In noting highlights from the report, which is based 1,546 audits of commercial software performed in 2020, Mackey says, “Of the codebases audited last year, we found that 98 percent of them contained open source and a whopping 84 percent had at least one vulnerability (with an average of 158 per codebase).”

Additionally, “91 percent of the codebases audited contained open source components that hadn’t seen any development activity in the past two years.” As Mackey explains, “this tells us that while the open source community does an exemplary job of addressing security issues, an alarming number of companies simply aren’t applying those patches.

Appropriate licensing is also an issue, with 65 percent of the codebases audited containing open source software license conflicts, typically involving the GNU General Public License. “Twenty-six percent of codebases were using open source with no license, or a customized license,” Mackey says. 

Read the complete article at The New Stack.