Report: Commercial Software Riddled With Open Source Code Flaws

Black Duck Software on Wednesday released its 2017 Open Source Security and Risk Analysis, detailing significant cross-industry risks related to open source vulnerabilities and license compliance challenges.
Black Duck conducted audits of more than 1,071 open source applications for the study last year. There are widespread weaknesses in addressing open source security vulnerability risks across key industries, the audits show.
Open source security vulnerabilities pose the highest risk to e-commerce and financial technologies, according to Black Duck's report.
Open source use is ubiquitous worldwide. An estimated 80 percent to 90 percent of the code in today's software applications is open source, noted Black Duck CEO Lou Shipley.
Open source lowers dev costs, accelerates innovation, and speeds time to market. However, there is a troubling level of ineffectiveness in addressing risks related to open source security vulnerabilities, he said.
"From the security side, 96 percent of the applications are using open source," noted Mike Pittenger, vice president for security strategy at Black Duck Software.
"The other big change we see is more open source is bundled into commercial software," he told LinuxInsider.
The open source audit findings should be alarming to security executives. The application layer is a primary target for hackers. Thus, open source exploits are the biggest application security risk that most companies have, said Shipley.

Understanding the Report

The report's title, "2017 Open Source Security and Risk Analysis," may be a bit misleading. It is not an isolated look at open source software. Rather, it is an integrated assessment of open source code that coexists with proprietary code in software applications.
"The report deals exclusively with commercial products," said Pittenger. "We think it skews the results a little bit, in that it is a lagging indicator of how open source is used. In some cases, the software was developed within three, five or 10 years ago."
The report provides an in-depth look at the state of open source security, compliance, and code-quality risk in commercial software. It examines findings from the anonymized data of more than 1,000 commercial applications audited in 2016.
Black Duck's previous open source vulnerability report was based on audits involving only a few hundred commercial applications, compared to the 1,071 software applications audited for the current study.
"The second round of audits shows an improving situation for how open source is handled. The age of the vulnerabilities last year was over five years on average. This year, that age of vulnerability factor came down to four years. Still, that is a pretty big improvement over last year," Pittenger said.


Comments

Post a Comment

Popular posts from this blog

Best online IoT courses

Image
Internet of things, or IoT, refers to a system of computing and digital devices that are connected to the internet. As the world becomes increasingly digital, everything from coffee machines to cars will become connected. As technology develops and changes it's important to keep your skills up to date. To help, we've compiled a list of useful IoT courses for you to try out this year. Some are free, other are not but they all provide a sturdy foundation in IoT. Here are some of our favorites. 1. Coursera Coursera Provides a range of online IoT courses. From specialisation to general courses, there is a selection available from beginner to advanced levels. These are some of the courses available Industrial IoT on Google Cloud Platform Introduction to architecting smart IoT devices Programming with cloud IoT platforms Users can enrol with Coursera for free.  Read More
Read more

16 best free project management software programs

Image
When building a startup or scaling up a small business, project management is key. Here we offer 16 great project management software tools. Even better, all are free. Read on for the 16 best free project management software programs.  http://www.techworld.com/picture-gallery/startups/10-best-free-project-management-software-programs-3625922/
Read more

How to create an Amazon Alexa skill

Image
http://www.techworld.com/tutorial/apps/how-create-amazon-alexa-skill-3654733/ Alexa   is a 'smart' personal assistant made available to the public by the Amazon Echo in 2015 offering voice-driven applications that can be enabled to provide a whole host of information and run a range of tasks. Amazon offers plenty of skills (voice-enabled apps) ranging from news, travel planners and smart home skills to bedtime stories for children, fun facts and games. Through the Echo, Alexa can perform various tasks such as play music, look up the weather, turn your heating up or down and even (if configured correctly) make you a cup of tea in the morning...well boil the kettle anyway.
Read more