Synopsys today released its ‘2018 Open Source Security and Risk Analysis’ report, which highlights a massive uptick in open source adoption, with 96% of the applications scanned containing open source components.

The report found that more than 54% of vulnerabilities found in audited codebases are considered high-risk, with 17% of the codebases containing highly publicised vulnerabilities such as Heartbleed, Logjam, Freak, Drown, or Poodle.

“Following the notorious Heartbleed and Struts2 vulnerabilities, it should be no surprise to any CSO or CISO that the majority of applications are plagued by vulnerable software components,” commented Derek Weeks, VP and DevOps advocate at Sonatype.

“The question is, what actions have they taken to proactively collaborate with their development teams to minimise such risks within their organisations.

Open source vulnerabilities

Vulnerable open source components were found in applications in every industry. The Internet and Software Infrastructure vertical had the highest proportion of 67% of applications containing high-risk open source vulnerabilities.

Ironically, 41% of the applications in the cybersecurity industry were found to have high-risk open source vulnerabilities, putting that vertical at fourth highest risk.

Weeks added: “We know from our own research that even the world’s largest and most successful companies are building unsafe code into their applications. For example, 57% of the Fortune Global 100 have downloaded known vulnerable versions of Apache Struts, responsible for Equifax’s highly-publicised breach.

“This behaviour is endemic across all industries – we found similar rates of vulnerable downloads from development team across Fortune Global 100 tech companies, automakers, and financial services or insurance firms.”

‘Gross negligence’

In addition, 33% of the audited codebases that contained Apache Struts also contained the vulnerability that resulted in the Equifax breach. The report clearly shows that organisations are allowing a growing number of vulnerabilities to accumulate in their codebases. On average, vulnerabilities identified in the audits were disclosed nearly six years ago.

Weeks continued: “Our dependence on the use of free open source components to accelerate development has never been greater. But we all know, there are no free puppies. Indiscriminate consumption of components – especially those with known vulnerabilities – should be considered gross negligence.”

He also noted that, in just 10 days, deploying known vulnerable components with production applications will be subject to GDPR ‘secure by design’ compliance standards and may lead to considerable liability and fines.

Written by Leah Alger