TEST: Not Managing Open Source Opens Door for Hackers
The annual Open Source Security and Risk Evaluation (OSSRA) Report, examined the anonymized data of over 1,200 commercial codebases from 2018 and found that 96% contained open source components, with an average of 298 open source components each codebase. The results reflect an increase from the amount of codebases in 2017, which was just 257.
In addition, 2018 yielded more open source vulnerabilities revealed than in years past, with a notable collection of over 16,500 vulnerabilities reported on the National Vulnerability Database (NVD).
The report noted that the use of open source software is not a problem in and of itself, while more than 40 percent of codebases contained at least one high-risk open source vulnerability. Failing to identify and deal with the security and license risk associated with the open source components your organization uses can lead to significant negative business impacts and damage to your brand.
“At the end of the day, all applications is vulnerable to attack — without exception — and the nature of open source applications is to shine a light on the issues it has, leading to increased visibility of bugs, not an increase in bugs,” stated Cody Brocious, hacker and mind of hacker schooling at HackerOne.
“The safety risk is diminished by raising visibility. In the event you’re not using open source components, you’d be using source components — either commercially available or hand-rolled — that have just as large of a likelihood of being exposed. Except that you don’t know about the bugs.
“There are a great number of tools which can be used to scan your codebase to determine which open source components (and versions) are in use, and check this against different vulnerability databases. Example tools include Dependency-check from OWASP, and commercial tools such as Snyk and SourceClear. ”