Today we released an internal research project based on data from the Open Source Security Audits we perform in our on-demand audit business. We anonymized, then analyzed the results from the review of hundreds of commercial software applications. The results didn’t surprise us, but they may surprise you.
The On-Demand Audit Data
Without rehashing the entire study, I’ll summarize by stating that the average application included over 100 unique open source components, and those components (on average) contained a total of almost two dozen vulnerabilities. These aren’t new vulnerabilities that our team found. These are vulnerabilities that were found by security researchers, disclosed publicly in the National Vulnerability Database (NVD), and for which corrected versions of the components were available.
Worse yet, the average vulnerability was first disclosed over 5 years ago!
What Does the Data Mean?
These results, we suspect, don’t reflect purposeful negligence on the part of the code owners. These applications are typically reviewed as part of due diligence in an acquisition or merger, so clearly the code owners had created code that was technically strong and filled a market need. Instead, this is representative of how difficult it can be to manage the use of open source, even in technically sophisticated organizations.
Developers rely on open source to provide critical functionality without writing the code from scratch. This helps them meet tight delivery schedules, at a lower cost. It provides so much value that even in the proprietary applications in this study, open source comprises over 1/3 of the average code base.
So the problem isn’t the use of open source – it’s maintaining visibility to: a) what was used, and b) new information about the component, particularly new security vulnerabilities (by NVD’s count, over 6,000 over the last two years, just in open source components).
This is what we mean when we talk about code hygiene. Software security is ephemeral. It’s not enough to assume that because a piece of code is deemed secure today, it will be secure tomorrow. New information, in the form of vulnerability disclosures, can change everything. With open source, the issue is exacerbated because our adversaries have access to all of the tools we do, including exploits and the source code.
Read the on-demand audit report, and tell us what you think. We think you’ll find it interesting, and it will provide strong evidence that software security needs to expand beyond static and dynamic analysis. Especially in a world where open source is growing at such a fast pace, without any signs of slowing down.