Unlike commercial software, whose publishers can automatically push fixes, patches, and updates to their customers, open source software offers a pull support model — in other words, you are responsible for keeping track of any patches and updates for the open source software used within your organization. This includes taking care of security vulnerabilities. So, no pressure, right?
The ubiquity of open source usage when coupled with the pull support model provides attackers with a target-rich environment as vulnerabilities are disclosed through a variety of sources such as the National Vulnerability Database (NVD) mailing lists, GitHub issues, and project homepages. Many organizations don't keep accurate, comprehensive, and up-to-date inventories of the open source components used in their applications. For example, a 2019 staff report by the US Senate Permanent Subcommittee on Investigations noted that Equifax's lack of a complete software inventory was a contributing factor to its massive 2017 data breach.
The newly released 2019 "Open Source Security and Risk Analysis" (OSSRA) report examines findings from audits of more than 1,200 commercial codebases in 2018. These audits were performed by the Black Duck Audit Services team during the technical due diligence processes associated with activities such as a corporate merger or acquisition. In this context, a codebase represents the source code for an application, library, or service. The results of these audits are then anonymized and used as input data for the OSSRA report.
In the 2019 OSSRA, we found that overall open source usage rose to 60% of the code within a codebase in 2018, up from 57% in 2017. Wh ..
Support the originator by clicking the read the rest link below.
