News

Study Examines Open Source Risks in Enterprise Software

• By David Ramel
• October 27, 2017

Amid increasing reports of cyberattacks and data breaches, open source security company Flexera has published the results of a study examining the risk of using vulnerable open source code in enterprise applications and systems.

The new report, "Open Source Risk – Fact or Fiction?" doesn't paint a pretty picture of enterprise awareness of open source security vulnerabilities -- or even of the awareness of the usage of open source software (OSS) in general.

"Most software engineers don't track open source use, and most software executives don't realize there's a gap and a security/compliance risk," said Flexera exec Jeff Luszcz.

Flexera surveyed more than 400 software suppliers, Internet of Things (IoT) manufacturers and in-house development teams for the report. It found few policies for OSS acquisition or usage, confusion about who's in chareg of OSS, and many companies that aren't following best practices around the use of OSS.

Some data point takeaways from the study include:

• As much as 50 percent of all code found in commercial and IoT software products is open source.
• Only 37 percent of respondents have an open source acquisition or usage policy.
• 63 percent say either their companies don't have an open source acquisition or usage policy, or they don't know if one exists.
• 39 percent of respondents said that either no one within their company is responsible for open source compliance -- or that they don't know who is.
• 33 percent of respondents say their companies contribute to open source projects.
• Of the 63 percent who say their companies don't have an open source acquisition or usage policy, 43 percent said they contribute to open source projects.

While seemingly abstract, these findings can have real-world implications. For example, regarding the recent Equifax data breach, Flexera said attackers who potentially could have gained access to the personal data of millions of Equifax customers exploited a vulnerability in Apache Struts, a widely used open source framework for Web servers. Enterprises use Struts in commercial and in-house systems to ingest and serve up data. "The use case of this open source component makes it a prime target for cyberattacks," Flexera said.

In fact, Apache Struts was listed as one of the top 10 common higher-risk components in use by another company, Black Duck Software, in a similar report earlier this year.

While Flexera estimated as much as half of enterprise code is open source, Black Duck said recent research reports show that between 80 percent and 90 percent of the code in today's apps is open source.

"This isn't surprising because open source is valuable in lowering dev costs, accelerating innovation and speeding time to market," Black Duck CEO Lou Shipley said in April. The Black Duck report's conclusion was much the same as Flexera's survey. "Our audits confirmed the universal use, but also revealed troubling levels of ineffectiveness in addressing risks related to open source security vulnerabilities and license compliance challenges," Shipley said.

Both Flexera and Black Duck offer products or services to help enterprises get a better handle on their use of OSS.

In its report, Flexera advised companies to start managing their open source risk by:

• Educating staffers at all levels about the basics of open source license compliance management
• Setting up an open source review board (OSRB) to set policies, respond to license compliance and security events and provide training and knowledge to the rest of the company
• Having development/DevOps teams implement OSRB policies by emphasizing compliance with all open source licenses being used as a first step, and then focusing on creating a process to identify vulnerable components and release updates for them as needed
• Using software composition analysis (SCA) tools to help discover and manage the open source and third-party content being used

"OSS has allowed organizations to become very nimble," the study said. "But software developers should also take their processes to the next level and think about how they manage security and licensing risks."