Synopsys: Enterprises struggling with open source software
To curb open source risk, Synopsys advises enterprises to keep a comprehensive inventory of all software within its environment and to understand that securing open source requires strong management.
While nearly every enterprise environment contains open source applications, organizations are still struggling to properly manage the code, according to a report by Synopsys.
The 2022 Open Source Security and Risk Analysis (OSSRA) report revealed the sheer volume of open source software used by enterprises across a variety of industries, as well as challenges with out-of-date code and high-risk vulnerabilities such as Log4Shell. While problems with visibility and prioritization persist, the report highlighted improvements in a few areas, most notably an increasing awareness of open source software.
To compile the report, the Synopsys Cybersecurity Research Center and Black Duck Audit Services examined findings from more than 2,400 commercial codebases across 17 industries. While analysis determined that 97% of the codebases contained open source software, a breakdown by industry showed four contained open source in 100% of their codebases. The affected areas were in computer hardware and semiconductors, cybersecurity, energy and clean tech and the internet of things.
"Even the sector with the lowest percentage -- healthcare, health tech, life sciences -- had 93%, which is still very high," the report said.
Additionally, the report found 78% of the code within codebases was also open source. Tim Mackey, principal security strategist at Synopsys Cybersecurity Research Center, contributed to the report and told SearchSecurity he was not surprised by the high percentage. It tracks with the last four or five years, during which more than two-thirds of the code within codebases was open source. In 2020, it was 75%. While the usage of open source software does vary by industry, Mackey said it is just the way the world works.
"I suspect that … [we'll] probably creep into the 80s over time, but we're nearing the bifurcation of propriety and custom versus open source for most industries," he said.
One aspect that has accelerated the pace of innovation over the last 10 years is how developers can focus on unique value propositions and features for employers. From there, Mackey said they can access libraries that do the foundational work. The challenge, he said, is that a development team will follow a different set of security rules and release criteria for open source software.
While it can be beneficial that anyone can examine the source code, Mackey said in practice most people just focus on what it does, download it and use it. Therein lies the risk for companies.
Tim MackeyPrincipal security strategist, Synopsys Cybersecurity
"So, with all the open source that's powering our modern world, that makes it a prime target for being an attack vector," he said.
Managing open source
A recurring trend in the report is "that open source itself doesn't create business risk, but its management does."
Mackey reiterated that sentiment, and said enterprises that change vendors after an incident may be pointing the finger in the wrong direction. He referred to the issues with open source as a "process problem."
"The open source itself might have a bug, but any other piece of software will have a bug as well," Mackey said.
However, the high volume does make it tricky to maintain. The OSSRA determined that 81% of software used by enterprises contained at least one vulnerability. Codebases JQuery and Lodash contained the highest percentage of vulnerable components. Spring Framework, which caused issues last month after researchers reported two flaws in the development framework, also made the list in 2021.
Additionally, Black Duck Audit Services risk assessments found that out of 2,000 codebases, 88% contained outdated versions of open source components, meaning "an update or patch was available but had not been applied."
More significantly, 85% contained open source code that was more than four years out of date. That percentage has been consistent over the years, according to Mackey.
He said that while it requires more digging to identify the issue, it highlights how the lack of an update process can make it easy to get out date. The sheer volume of open source code is also an issue -- there could be hundreds to thousands of applications, with hundreds of components per application.
"That's really one of the cruxes of what we're seeing on a consistent basis, is that companies struggle to figure out what the most efficient way to manage this stuff really is," he said.
One flaw that caused enterprises a management and scale nightmare last year was Log4Shell. While the report noted a "decrease in high-risk vulnerabilities, … 2021 was still a year filled with open source issues." That included supply chain attacks and hacker exploits of Docker images, but "most notably" the zero-day vulnerability in Apache Log4j utility known as Log4Shell. It allowed attackers to execute arbitrary code on vulnerable servers, according to the report.
"What's most notable about Log4Shell, however, is not its ubiquity but the realizations it spurred. In the wake of its discovery, businesses and government agencies were compelled to re-examine how they use and secure open source software created and maintained largely by unpaid volunteers, not commercial vendors. What also came to light was that many organizations are simply unaware of the amount of open source used in their software," the report said.
Researchers analyzed the percentage of audited Java codebases and found 15% "contained vulnerable Log4j component." Though Mackey acknowledged the quantity of Java applications has changed and log data has improved, he said 15% was lower than he expected.
"My crystal ball says we'll be talking about this next year because that's actually one of the big problems that we see year over year is that people don't necessarily do a good job of patching the vulnerabilities that have been around for a few years," he said.
Differences between commercial and open source software hinder enterprises when it comes to patching. The report noted that commercial patching "usually requires the involvement of a procurement department, as well as review standards that are part of a vendor risk management program." On the other hand, "open source may simply have been downloaded and used at the developer's discretion."
Part of that management extends to security following a merger or acquisition. Mackey said one of the biggest challenges that acquirers have is a lack of visibility and the skill set to evaluate exactly what they are buying. It appears 2021 was a big year for M&As.
"The growth in the number of audited codebases -- 64% larger than last year's -- reflects the significant increase in merger and acquisition transactions throughout 2021," the report said.
Based on the statistics, Mackey said it's exceedingly difficult for enterprises not to use open source.
"I'd argue it's all but impossible," he said. "They'd also have to not be using companies like Amazon or Microsoft or Google, because they're all using open source. It's what powers their clouds. So, it's life today."
While there is work to be done to minimize open source risk, Mackey said Synopsys observed many improvements last year. Enterprises did a better job of managing licensing conflicts, the number of vulnerabilities decreased and the number of applications with high-severity flaws also decreased.
"People are recognizing they need to 'get with the program.' That may be Biden going about beating them over the head, that might be 'Oh wait, I don't want to be the next Colonial Pipeline,'" Mackey said. "We can't necessarily say, but those are good trends. I don't like to say open source is bad in any way; it's just managed differently."