A new report into the state of enterprise security suggests that the majority of codebases in use contain known vulnerabilities due to the use of open-source components.
On Tuesday, Synopsys[1] released the Black Duck by Synopsys 2018 Open Source Security and Risk Analysis (OSSRA) report[2], which found that open-source adoption is on the rise in the enterprise -- but security controls have not necessarily matched the pace.
Open-source projects, software, and library adoption have become a common theme in the enterprise. Open-source systems can save a vast amount of time and money for developers and businesses alike and many well-known players in fields ranging from technology to core services use open-source components on a daily basis.
However, the nature of open-source projects means that as developers are giving away their time for free, sometimes, bugs may escape the net and cause chaos further down the line unless users and staff are aware of its use and maintain regular security checks.
In 2017, for example, Equifax blamed open-source Apache Struts[3] usage for a cyberattack which led to the compromise of 143 million records.
In the same year, Black Duck Software researchers found through an audit of 1,000 commonly-used applications in the enterprise that 96 percent utilized open-source software, and over 60 percent contained security vulnerabilities[4] due to these components.
Some of the bugs found were over four years old.
It seems little has changed. The Burlington, Mass.,-based firm's latest research[5] suggests that a third of enterprise codebases have still not patched the same vulnerability which caused Equifax such heartache.
After auditing a total of 1,100 commercial databases used by companies in industries including cybersecurity, automotive, healthcare,