What’s In Your Code? Reviewing On-Demand Audit Data

What's in Your Code? Reviewing On-Demand Audit Data

Today we released an internal research project based on data from the Open Source Security Audits we perform in our on-demand audit business. We anonymized, then analyzed the results from the review of hundreds of commercial software applications. The results didn’t surprise us, but they may surprise you.

The On-Demand Audit Data

Without rehashing the entire study, I’ll summarize by stating that the average application included over 100 unique open source components, and those components (on average) contained a total of almost two dozen vulnerabilities. These aren’t new vulnerabilities that our team found. These are vulnerabilities that were found by security researchers, disclosed publicly in the National Vulnerability Database (NVD), and for which corrected versions of the components were available.

Worse yet, the average vulnerability was first disclosed over 5 years ago!

What Does the Data Mean?

These results, we suspect, don’t reflect purposeful negligence on the part of the code owners. These applications are typically reviewed as part of due diligence in an acquisition or merger, so clearly the code owners had created code that was technically strong and filled a market need. Instead, this is representative of how difficult it can be to manage the use of open source, even in technically sophisticated organizations.

Developers rely on open source to provide critical functionality without writing the code from scratch. This helps them meet tight delivery schedules, at a lower cost. It provides so much value that even in the proprietary applications in this study, open source comprises over 1/3 of the average code base.

So the problem isn’t the use of open source – it’s maintaining visibility to: a) what was used, and b) new information about the component, particularly new security vulnerabilities (by NVD’s count, over 6,000 over the last two years, just in open source components).

This is what we mean when we talk about code hygiene. Software security is ephemeral. It’s not enough to assume that because a piece of code is deemed secure today, it will be secure tomorrow. New information, in the form of vulnerability disclosures, can change everything. With open source, the issue is exacerbated because our adversaries have access to all of the tools we do, including exploits and the source code.

Read the on-demand audit report, and tell us what you think. We think you’ll find it interesting, and it will provide strong evidence that software security needs to expand beyond static and dynamic analysis. Especially in a world where open source is growing at such a fast pace, without any signs of slowing down.

The State of Open Source Security


Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.


Commercial Application Security: 6 Facts You Didn't Know

| May 4, 2017

Many people know Black Duck from our security and software license compliance business. However, we also have a very strong On-Demand business. Our On-Demand business performs one-time audits of software, typically as part of due diligence in an M&A transaction. In these engagements, the entities

| MORE >

Open Web Application Security Project Updated Top 10

| May 3, 2017

Late last month, the Open Web Application Security Project (OWASP) published a release candidate for the new OWASP Top 10 (T10).  I want to take a look at what has remained and what has changed since the last version. First of all, hats off to OWASP. They do a great job with their many projects

| MORE >

Vulnerability Remediation – You Only Have 4 Options

| Mar 29, 2017

In my previous post, I wrote about a simple process for triaging vulnerabilities across applications. Once you have the issues prioritized, the vulnerability remediation process is pretty straightforward. You don’t have a lot of options; either remediate the issue, ignore it, or apply other

| MORE >