Security vulnerabilities in open source and GDPR implications
Open source components are present in an enormous percentage of applications in numerous firms. What does the security overview of open source look like just moments before the GDPR enforcement?
The Black Duck report is here, raising some serious concerns as the big GDPR enforcement day approaches. Conducted by the Synopsys Center for Open Source Research and Innovation (COSRI), the Synopsis Open Source Security Risk Analysis (OSSRA) report examines the findings from the anonymized data of over 1,100 codebases audited in 2017.
But without further ado, let’s dive into the results.
It is no news that a wide range of industries and organizations rely on open source applications or application components. And what is also not news it why this is the case; low costs, speed, accelerated innovation, developer productivity, the list goes on and on. Among the applications scanned for the Black Duck On-Demand audits, 96% of them had open source components while the average percentage of open source codebase was 57%!
As the report also argues, open source being more or less secure than custom code is hardly the case. It is a fact, however, that some open source characteristics feature certain vulnerabilities that are very attractive to attackers.
As opposed to commercial software, open source does not automatically push updates to users and users are responsible for keeping track of updates, bugs, fixes and vulnerabilities. In most cases, a company does not use a single open source application but rather multiple ones. That can raise a challenge when trying to keep track of all open source it uses and, therefore, it gets even more challenging to defend against common attacks targeting known vulnerabilities.
To talk some numbers, over 4,800 open source vulnerabilities were reported in 2017, noting an increase of 134% since 2016, while the report documents an average of 64 vulnerabilities per codebase. The 85% of the codebase audited for the OSSRA report, had either license conflicts or unknown licenses while 17% of the codebases contained a highly publicized vulnerability such as Heartbleed, Logjam, Freak, Drown and Poodle.
Speaking of vulnerabilities, over 54% of the vulnerabilities found in audited codebases are considered high-risk ones with the most common vulnerability being CVE-2016-9878, found in the Pivotal Spring Framework, which also appeared in 13% of the codebases.
As explained in the report “Open source components are governed by one of about 2,500 known open source licenses, many with obligations and varying levels of restriction. Failure to comply with open source licenses can put businesses at significant risk of litigation and compromise of IP.” Yet, the lack of compliance is one of the major risks associated with open source.
Another issue in relevance to open source licenses is the fact that not all teams publishing free software use licenses for their projects. Most interestingly, GitHub introduced the ability to attach a license to a project only a few years ago.
Given the large number of open source components used by companies, as discussed above, it is often extremely difficult for organizations to keep track of the respective number of license obligations with the traditional spreadsheet method, leading to license conflict issues. According to the report, 74% of the audited codebases contained license conflicts.
GDPR enforcement is almost upon us and the sanctions for non-compliance firms and organizations can be disastrous. The Black Duck OSSRA report depicts some worrying security issues in open source that can cause significant problems for open source users in the age of GDPR.
It remains to be seen how the community will tackle this issues.