Nine in ten biz applications harbor out-of-date, unsupported, insecure open-source code, study shows

Free-as-in-speech software is wildly popular – keeping libraries, components up to date is not

40 Reg comments Got Tips?

Ninety-one per cent of commercial applications include outdated or abandoned open source components, underscoring the potential vulnerability of organizations using untended code, according to a software review.

Synopsys, a California-based design automation biz, conducted an audit of 1,253 commercial codebases in 17 industries for its 2020 Open Source Security and Risk Analysis report.

It found that almost all (99 per cent) of the codebases examined have at least one open source component and that 70 per cent of the code overall is open source. That's about twice as much as the company's 2015 report, which found only 36 per cent of audited code was open source.

Good news then, open source code has become more important to organizations, but its risks have followed, exemplified by vulnerabilities like the 2014 Heartbleed memory disclosure bug and Apache Struts flaws identified in 2017 and 2018.

Ninety-one percent of the audited applications had components that are either four years out of date or have exhibited no active development for two years. In 2019 – the time-period covered by the 2020 report – the percentage of codebases containing vulnerable components rose to 75 per cent, up from 60 per cent in 2018.

The percentage of applications afflicted with high-risk flaws reached 49 per cent in 2019, up from 40 per cent in 2018.

The most common high-risk vulnerability, identified more than 500 times, is CVE-2018-16487, a prototype pollution bug in the JavaScript library Lodash that affects versions prior to 4.17.11. It can potentially be used for remote code execution.

Human cannonball

Looking for a new IT gig? Here are vacancies around the world for developers, cloud engineers, infosec analysts, Jira admin, and more

READ MORE

The oldest vulnerability found dates back more than two decades: CVE-1999-0061, allowing file creation, deletion, and remote execution via the BSD line printer daemon (lpd).

In an email to The Register, Tim Mackey, principal security strategist at the Synopsys CyRC (Cybersecurity Research Center), said there are many examples of known vulnerabilities in open source code that have led to hacking incidents, including the 2017 Equifax breach.

"Within the past year, CVE-2020-11651 and CVE-2020-1165 impacted SaltStack which is an open source systems management platform," said Mackey. "Since open source solutions are often at the heart of critical business tasks, one exploitable vulnerability can have significant impact."

He added, "In the case of these two CVEs which impacted LineageOS, Ghost and Digicert, among others, patch success requires that corporate patch management processes include an awareness of precisely what open source the business is running, and where to download the appropriate patches from."

One-hundred twenty-four components were commonly used across all codebases. The top five were: jQuery (55 per cent); Bootstrap (40 per cent); Font Awesome (31 per cent); Lodash (30 per cent); and jQuery UI (29 per cent).

If that looks like a lot of JavaScript libraries, that's because JavaScript is common in the codebases analyzed. Those checked include: JavaScript (74 per cent); C++ (57 per cent); Shell (54 per cent); C (50 per cent); Python (46 per cent); Java (40 per cent); TypeScript (36 per cent); C# (36 per cent); Perl (30 per cent); and Ruby (25 per cent).

And the percentage of components in these codebases also skews toward JavaScript (51 per cent). Other components used these languages: C++ (10 per cent); Java (7 per cent); Python (7 per cent); Ruby (5 per cent); Go (4 per cent); C (4 per cent); PHP (4 per cent); TypeScript (4 per cent); C# (3 per cent); Perl (2 per cent); and Shell (1 per cent).

The Synopsys report also found that 68 per cent of codebases exhibited an open source license conflict and that 33 per cent of them had no identifiable license. Internet and mobile apps were the most common types of applications with license issues (93 per cent), while virtual reality, gaming, entertainment, and media apps had fewer problems (59 per cent).

Mackey said the incidence of high profile legal action arising from open source licensing disputes is rare, noting that most compliance issues get handled within an organization, the end result being that developers have to rework their code.

For companies using open source code, Mackey said the most important thing that must be done is to have a strategy for updating open source components.

"When an IT staffer or a developer downloads an open source tool or component, and the business lacks awareness of that action, properly managing any risk becomes quite difficult," said Mackey.

"This isn’t simply a case of performing periodic scans, but rather having a clear process defined in collaboration between developers, IT and legal teams for what acceptable use is and how that use is to be managed." ®


Biting the hand that feeds IT © 1998–2020