Synopsys who develops the Software Composition Analysis platform BlackDuck, released their annual Open Source Security and Risk Analysis Report earlier this month. The report has provided a snapshot on security and compliance over the last year as it relates to open source and software development practices. They found that 84% of the codebases they analyzed contained at least one open source vulnerability. Let's dive in.
The Software Composition Problem
As discussed in previous posts a major tenet of software development is repeatability and reusability of code. There is no point in re-inventing random number generation or how to interact with a database when a plethora of packages and libraries exists to enable developers to focus on their application. However, a highly inaccurate understanding of open source is that it is more secure because the code is out in the open for anyone and everyone to audit for vulnerabilities. However in reality, open source software should be considered unaudited with a "use at your own risk" disclaimer.
Applications are Becoming More Complex
Over the past three years, the average number of open source components within applications has grown, increasing the potential for applications to contain vulnerabilities. Software development teams are building larger and more complex projects which naturally requires more reusable components. With a lack of oversight and vulnerability management capabilities, software development projects are continually increasing the likelihood of vulnerability existing within their code.
It's a Finger in Dyke Problem
As per US-CERT, on average 48 new vulnerabilities are discovered each day. The increasing number of open source components in software projects combined with the increasing number of vulnerabilities found on a daily basis, has exposed a lack of vulnerability management capabilities within software development teams. There are typically multiple open source packages available to provide desired functionality and packages are being used base on experience and familiarity rather than long term supportability and security.
Attackers are Targeting Open Source Packages
Sonatype recently reported a 430% surge in attacks targeting open source software supply chains! Attackers are switching their focus to paths of least resistance with the highest likelihood of pay out. The shift in focus from traditional IT infrastructure to the open source supply chain has caught both cyber security teams and development teams off guard and concerns are growing that larger and more wide scale breaches are in the future.
Signal to Noise Problem
While the number of vulnerabilities continues to increase in open source packages and libraries, only a fraction of identified vulnerabilities can be or have been proven to be exploitable by external hackers. In my past experience with using Software Composition Analysis tools, I have been frustrated with the shear volume of benign vulnerabilities creating challenges in knowing what needs to be fixed, what needs to be deprecated and what can be safely been ignored.
You can read the full report here: https://www.synopsys.com/content/dam/synopsys/sig-assets/reports/2020-ossra-report.pdf