Synopsys has released a report exploring the strategies that organizations around the world are using to address open source vulnerability management as well as the growing problem of outdated or abandoned open source components in commercial code.
Paralleling the growth of open source use is the mounting security risk posed by unmanaged open source, says the report, based on a survey of 1,500 IT professionals, which says that the overwhelming majority of modern codebases contain open source components, with open source often comprising 70% or more of the overall code.
75% of the codebases audited by Synopsys contained open source components with known security vulnerabilities. To combat this situation, respondents to the survey cite identification of known security vulnerabilities as the number one criterion when vetting new open source components.
According to Tim Mackey, principal security strategist of the Synopsys Cybersecurity Research Center, organizations are struggling to effectively track and manage their open source risk.
“Over half—51%—say it takes two to three weeks for them to apply an open source patch,” Mackey continued. “This is likely tied to the fact that only 38% are using an automated software composition analysis (SCA) tool to identify which open source components are in use and when updates are released,” said Tim Mackey.
“The remaining organizations are probably employing manual processes to manage open source—processes that can slow down development and operations teams, forcing them to play catch-up on security in a climate where, on average, dozens of new security disclosures are published daily.”
Another noteworthy finding of the report is that is no universally adopted application security testing (AST) tool. Though there is no shortage of application security testing tools and techniques, even the AST tool with the highest adoption rate is still used by less than half of respondents.