The Black Duck by Synopsys Open Source Security and Risk Analysis (OSSRA) report provides an in-depth look at the state of open source security, license compliance, and code-quality risk in commercial software. Each year, the Black Duck OnDemand audit services group conducts open source audits on thousands of applications for its customers—primarily in conjunction with merger and acquisition transactions. This year’s analysis was done by the Synopsys Center for Open Source Research & Innovation (COSRI) and examines findings from the anonymized data of over 1,100 commercial codebases audited in 2017. Industries represented in the report include the automotive, big data (predominantly artificial intelligence and business intelligence), cyber security, enterprise software, financial services, healthcare, Internet of Things (IoT), manufacturing, and mobile app markets.

The OSSRA report includes insights and recommendations intended to help organizations and security, risk, legal, development, and M&A teams better understand the open source security and license risk landscape as they strive to improve their application risk management processes.

Today, 85% of security attacks target software applications, according to SAP. Not surprisingly, there is an array of application security tools on the market to help companies address security risks, and they vary in both approach and coverage. For example, traditional application security tools—dynamic application security testing (DAST) and static application security testing (SAST)—are very effective in finding bugs in the application code internal developers write. However, they are not effective in identifying open source software vulnerabilities. Given that open source is an essential component in application development worldwide, effective open source vulnerability management is imperative.

This guide provides a comprehensive overview of application security risks, discusses the types of solutions available, and looks at where each excels or falls short. It discusses why organizations need a comprehensive application security toolkit to stay secure throughout the product life cycle.

Organizations are leveraging containers on a massive scale to rapidly package and deliver software applications. But because it is difficult for organizations to see the components and dependencies in all their container images, the security risks associated with containerized software delivery have become a critical topic in DevOps.

This puts the spotlight on operations teams to find security vulnerabilities in production environments without sacrificing the efficiency of containers.