Synopsys helps development teams build secure, high-quality software, minimizing risks while maximizing speed and productivity. Synopsys, a recognized leader in application security, provides static analysis, software composition analysis, and dynamic analysis solutions that enable teams to quickly find and fix vulnerabilities and defects in proprietary code, open source components, and application behavior.

Open source use isn’t risky, but unmanaged use of open source is.

Open source software forms the backbone of nearly every application in every industry. Chances are that includes the applications your company develops as well. If you can’t produce an accurate inventory of the licenses, versions, and patch status of the open source components in your applications, it’s time to assess your open source management policies.

This paper provides insights and recommendations to help organizations and their development and IT teams better manage the open source risk landscape. It covers:

• Open source license risk and the need to identify and catalog open source licenses
• Security risk that comes with open source use and inadequate vulnerability management
• Operational open source risk, version control, and the dangers of using inactive components

According to SAP, more than 80% of all cyber attacks are happening on the application layer,1 specifically targeting software applications rather than the network.

Hackers take the easiest path when determining exploits and choose applications that offer the best attack surface opportunities. Those opportunities are generally created by unpatched or outdated software.

For example, Heartbleed, a dangerous security flaw, critically exposes OpenSSL, an open source project used in hundreds of thousands of applications that need to secure communications over computer networks against eavesdropping. Yet 56% of all OpenSSL versions that Cisco Security Research examined in its 2015 security report2 were still vulnerable to Heartbleed, more than two years after the Heartbleed vulnerability was first disclosed and a patched version issued.

This illustrates the difficulty organizations have in inventorying and managing open source components rather than a lack of security diligence. Without a comprehensive list of open source components in use, it is nearly impossible for any organization to identify specific applications that use vulnerable components.

Application security is a strategic imperative for organizations developing internal and public-facing software. Exploits of software security vulnerabilities can result in loss of customer or company information, disruption of business operations, damage to public image, regulatory penalties, and costly litigation.

Adding to the management challenge, the software development life cycle (SDLC) is increasingly complex. Demands for agility and faster time to market, distributed development teams, and rapidly evolving languages and technologies are all contributing factors.

To remain competitive, development teams increasingly rely on open source software—cost-effective, reusable software building blocks created and maintained by global communities of developers.

Open source use isn’t risky, but unmanaged use of open source is.

Open source software forms the backbone of nearly every application in every industry. Chances are that includes the applications your company develops as well. If you can’t produce an accurate inventory of the licenses, versions, and patch status of the open source components in your applications, it’s time to assess your open source management policies.

This paper provides insights and recommendations to help organizations and their development and IT teams better manage the open source risk landscape. It covers:

• Open source license risk and the need to identify and catalog open source licenses.
• Security risk that comes with open source use and inadequate vulnerability management.
• Operational open source risk, version control, and the dangers of using inactive components.

Can you say with confidence that the open source components used in your applications are up-to-date with all crucial patches applied? It’s impossible to patch software when you don’t know you’re using it.

The 2019 OSSRA report offers an in-depth look at the state of open source security, compliance, and code quality risk in commercial software. Based on the anonymized data of over 1,200 audited codebases, this report provides:

• The latest insights and surprising statistics about open source security and license risk.
• The components most likely to have identified vulnerabilities.
• Six key recommendations to improve your application risk management processes.

The Black Duck by Synopsys Open Source Security and Risk Analysis (OSSRA) report provides an in-depth look at the state of open source security, license compliance, and code-quality risk in commercial software. Each year, the Black Duck OnDemand audit services group conducts open source audits on thousands of applications for its customers—primarily in conjunction with merger and acquisition transactions. This year’s analysis was done by the Synopsys Center for Open Source Research & Innovation (COSRI) and examines findings from the anonymized data of over 1,100 commercial codebases audited in 2017. Industries represented in the report include the automotive, big data (predominantly artificial intelligence and business intelligence), cyber security, enterprise software, financial services, healthcare, Internet of Things (IoT), manufacturing, and mobile app markets.

The OSSRA report includes insights and recommendations intended to help organizations and security, risk, legal, development, and M&A teams better understand the open source security and license risk landscape as they strive to improve their application risk management processes.