Report: Don’t Neglect Open Source Security

In the past few years, open source usage has spiked as companies seek digital transformation and grapple with pandemic-related disruption. While the market has grown, security hasn’t, according to a new report.

In its 8th edition this year, the 2023 “Open Source Security and Risk Analysis” (OSSRA) report from Synopsys continues to study the current state of open source security, from licensing to compliance, and its most pressing risks.

Of the more than 1700 open-source codebases examined by the report, a shocking 84% contained at least one known open-source vulnerability. These findings present a stark reality for many businesses. Open source is a vital part of maintaining technology budgets and encouraging experimentation, but without strategic boundaries and monitoring, the risks far outweigh the benefits.

Many sectors experienced rapid growth in open source usage—aerospace, transportation, and logistics, for example, experienced a 97% growth in the past five years. But vulnerabilities have increased in step, which puts many of our major commercial sectors at serious risk.

See also: Log4j, Like COVID, is Endemic and Still Requires Attention

What companies can do to utilize open source safely

The report identified two specific red flags for companies—using open source without a corresponding license and allowing code to sit unmonitored and unused for extended periods.

For the first red flag, pursuing a license agreement may seem to be the antithesis of open source, but even free code should offer boundaries for use. When companies understand the parameters of the code and actively agree, this could reduce the risk of later conflicts. In the second, continually monitoring code usage helps ensure that required security patches and updates don’t fall through the cracks.

Companies should strive for complete visibility, even in open source. This visibility in the application lifecycle helps decision-makers gather the information they need to make critical decisions and resolve risk. The study also makes clear, once again, that companies using any third-party software should act as if it contains open source because it most likely does. It’s better to be prepared than surprised.