Report highlights security risk of open source code to business

Increased adoption of open source code is introducing vulnerabilities into commercial software, with many audited codebases containing the Apache Struts flaw that enabled the Equifax breach, a report shows. Most software includes known vulnerabilities and licence conflicts as open source adoption soars, a report has revealed. The Black Duck by Synopsys report is based on analysis of anonymised data from more than 1,100 commercial codebases audited in 2017 across nine industry sectors, including automotive, cyber security, financial services and healthcare. The 2018 Open source security and risk analysis (OSSRA) report highlighted a substantial uptick in open source adoption, with 96% of the applications scanned containing open source components. The data also showed that the average number of open source components found per codebase (257) grew by 75% compared with the previous year, with many applications containing more open source than proprietary code. The report said it was worrying that 78% of the codebases examined contained at least one open source vulnerability, with an average 64 vulnerabilities per codebase.