The Growth of Open Source in Application Security

The Growth of Open Source in Application Security

I think we can agree that open source is at the heart of most modern applications. These days, we find open source in the operating platform (operating system, database, or application server), the application framework and the modules and libraries used for key functionality. Open source is simply transformative in every industry, comprising between 60% and 80% of the application codebase.  


It may seem like 1998 is a random time to start estimating custom vs. open source code, given that Linux was released in 1991, while Richard Stallman's GNU project launched in 1983 and the Emacs editor was written in 1976. However, the term open source itself became more widely recognized at an event technology publisher Tim O'Reilly organized in 1998. Many excellent and well-known open source projects launched in the 1990s, such as GIMP, Ruby, Apache and OpenOffice (to name just a few). Still, to the larger development population, open source continued to comprise a small percentage of the code base.

In 2008 open source got a huge boost when Google released Chromium, the project that the Chrome browser runs on. Google then followed with Android and Chromium OS, which quickly opened up open source in the mobile environment. Anyone with a modern cell phone knows that there are many, many apps written for Android and the iPhone OS. Without a doubt, the explosion of the internet and then mobile devices contributed greatly to the growth of open source in 2008. We estimate that it grew to about 30-50% open source code in applications by 2008. 

2xAsMuch.pngThis brings us to today. In 2016, we think open source is between 60-80% of the code base. In our Open Source Security Analysis 2016, we found that about 35% of the code in each application was open source — twice as much open source as the code owners anticipated. There are many reasons for the growth of open source, as cited by participants in our Future of Open Source Survey:

  • Increased development speed
  • Reduced development costs and accelerated time to market
  • Competitive features and technical capabilities

Open Source Growth

Open Source has grown significantlyHow does open source achieve these key benefits? Among other benefits, it enables developers to use open source code for the pieces of their applications that aren't unique the clock, calendar scheduling functionality for example. Then developers creating custom code can focus on building proprietary functionality, creating intellectual property and delivering competitive differentiation. The combination of open source and custom code creates huge opportunities for application developers to build robust applications in a more agile environment.

Impact for Application Security?

It's reasonable to wonder how this explosion in open source usage has changed application security. There are a lot of excellent tools that address application security for custom code, and there's no denying that these tools are important. Static Analysis Security Testing (SAST) does a fantastic job of parsing and analyzing source or binary code. Dynamic Application Security Testing (DAST) tests the application while it is running to expose potential vulnerabilities. However, the inclusion of open source in so many of our applications today changes what works in application security testing. Organizations need to look at the growth of open source in their code base and acknowledge that their security investments need to address the growing risk in the application layer.

Vulnerabilities Persist

Our On-Demand audits are a great source of information for anyone wanting to learn about open source in application security. Often these audits are part of a merger or acquisition deal, where one party or the other is trying to ascertain whether there are any security, legal or operational risks in the code base before proceeding with a deal. All that data was anonymized so we could take a look at the big picture. Our findings can help developers and organizations understand the risks at the application layer, so they can continue to open source safely and securely to speed innovation in applications and containers. Check out our infographic on open source in application security

Open Source in Application Security

0 Comments
Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.
0 Comments

MORE BY THIS AUTHOR

Roundtable Discussion on Managing Open Source Software

| Feb 15, 2017

One of the sessions at the RSA Conference that drew my attention was Managing Open Source, with Red Hat Security Strategist Josh Bressers, who led an excellent round table discussion about different challenges and solutions people have implemented in their roles when managing open source at their

| MORE >

Attending RSA Conference 2017? Join Black Duck in Booth #S332

| Feb 10, 2017

RSA Conference 2017 starts in a couple of days, and I'm very excited to be attending this year. Cybersecurity has been top of mind for me over the past year or so, and I'm looking forward to discovering new technology and hearing security leaders and pioneers speak in San Francisco at the Moscone

| MORE >

Top Posts from 2016: From Open Source Licenses to OSRookies

| Jan 12, 2017

I've been fortunate to spend the last year working at Black Duck on many projects with many talented people - from our interns to our engineering and product management teams. It's been an amazing learning experience, one I wouldn't trade for the world. Part of my role here is to manage our blog,

| MORE >