You are here

The state of open source in commercial apps: You're using more than you think

public://webform/writeforus/profile-pictures/mike_pittenger_980x653.jpg
Mike Pittenger, Vice President, Security Strategy, Black Duck

Earlier this year, Black Duck released the results of a study of more than 200 applications reviewed by our On-Demand team over a six-month period, from late 2015 through early 2016. Black Duck’s On-Demand business conducts audits of customer software, often in merger or acquisition situations. Typically, the audits include commercial software that has been in the market for a number of years.

What we found in our study is that, from a practical aspect, everyone is using open source. Open source code comprised more than 35 percent of the average commercial applications we reviewed. If we were looking at code developed for internal use, the percentage was much higher—as high as 75 percent.

It wasn’t unusual for us to find more than 100 unique open-source components in each application reviewed, a number that came as a surprise to many of our clients. Most believed they were using an average of 70 or fewer open-source components. In fact, the average was closer to double that number.

Here are some problems with the use of open source you need to be aware of.

Lack of visibility results in vulnerability issues

Among other highlights of our study:

  • Over half (67 percent) of the applications reviewed contained known open-source security vulnerabilities.
  • More than a third (39.5 percent) of the open-source vulnerabilities in each application were rated as “severe.”
  • Ten percent of applications reviewed contained the highly publicized Heartbleed vulnerability.

On average, the vulnerabilities we identified had been disclosed more than five years before our analysis. This indicates that the organizations with the problematic code didn’t know about the vulnerabilities, probably because they didn’t know the component was present.

Even more interesting—or more frightening—is that even well-known and relatively ancient vulnerabilities such as Heartbleed are flying under the radar. Our study found that over 10 percent of the applications tested included Heartbleed, and almost 10 percent included POODLE. LogJam and FREAK each affected almost 5 percent of the applications. 

When commercial apps unknowingly carry open source

If you’re using open source—and based on our research, chances are good that you are—then the chances are also good that you’re including open-source vulnerabilities in your applications. This doesn’t mean organizations should stop using open source, and of course they won’t, no matter what studies show. However, the problem of not knowing what open source is in the code of your commercial application is real both from a license and security compliance perspective. 

From a legal standpoint, businesses want to confirm that their software is not subject to intellectual property risk. From a security standpoint, businesses need to understand the security profile of their software. While many companies deploy security testing tools such as static and dynamic analysis, those tools are not effective at identifying the types of vulnerabilities in popular open-source components.

Not knowing is no defense

If you’re not aware of the open source you have in use, you can’t defend yourself from open-source security and license compliance issues. Awareness begins by creating open-source usage policies for your organization, then by tracking open-source usage, and finally by continuously monitoring for new vulnerabilities—because the problem isn’t going away.

Topics: Security