Open source use grows, but security issues common, says report

Open source software expert James Robb of Pinsent Masons, the law firm behind Out-Law.com, said the findings of new analysis of the use of open source software by companies showed that businesses continued to overlook the risks of data breaches caused by poor maintenance.

The 2018 Open Source Security and Risk Analysis report, produced by Synopsys-owned industry specialist Black Duck, audited over 1,100 commercial codebases and found open source components in 94% of the applications scanned. The average percentage of codebase that was open source had risen from 36% in 2016 to 57% in 2017.

However the number of codebases with at least one vulnerability had also risen year-on-year. Over three-quarters (78%) contained at least one vulnerability, with an average of 64 vulnerabilities per codebase. That was up from 67% in 2016.

The number of open source vulnerabilities per codebase grew by 134% between 2016 and 2017 and on average the vulnerabilities identified were disclosed six years ago.

According to Black Duck, the high growth rate was partially due to the record number of vulnerabilities reported in 2017 and a five-year growth trend in known open source vulnerabilities.

“The report confirms not only that use of open source software has become ubiquitous in businesses of all shapes and sizes, but also that businesses continue to grapple with both security and licence compliance issues posed by open source applications,” Robb said.

“Although open source software is a powerful and convenient business tool, if improperly maintained it presents clear exposure for data breaches, whether in isolation or because of connections to other systems or software,” Robb said.

Robb said the issue of data security was becoming more important with the imminent implementation of the EU’s General Data Protection Regulation (GDPR), which will impose financial penalties of up to €20 million or 4% of an organisation’s global revenue if they are found guilty of breaching the law.

“Despite high-profile data breaches caused by open source software both in the UK and globally, businesses continue to overlook the risks,” Robb said.

The report found a high proportion – 85% - of the audited codebases had either licence conflicts or unknown licences.

“Recent US case law demonstrates that licence breaches resulting from such conflicts may be found to be breach of contract,” Robb said.

“Although not as high profile as data security, breaches of open source software licences theoretically expose organisations to disruptive legal proceedings or settlements with licensors. In some cases, non-compliance with open source licences might also restrict access to critical updates or patches required to preserve data security,” Robb said.

Robb said businesses needed to properly understand the way they were using open source software, its interface with other critical systems and its potential to lead to data breaches.

“Organisations must have rigorous procedures in place to ensure that all relevant updates, patches and security fixes are applied as soon as they are released, and should conduct licence audits periodically to remain compliant and reduce the risk of a licence clash,” Robb said.

“With the advent of GDPR and in an era of heightened privacy awareness, regulators are likely to have little sympathy for data breaches resulting from compromised open source software, or indeed any software, irrespective of whether the breaches are caused by human or technical failures,” Robb said.