A recently published report from Black Duck Software revealed that a surprising number of applications contain high-risk vulnerabilities in their open source components.
Open source software revolutionized the software industry. If you’ve been in the industry for more than a decade, you probably remember what it used to be like: slow procurement of proprietary applications and libraries with onerous license fees. Today, every company has access to tens of thousands of high-quality software projects that scratch as many itches as there are itches to scratch. No one wants to go back to the bad old days before open source, but companies should nevertheless exercise caution before roping an open source component into their codebase.
According to the report, 96 percent of applications analyzed had vulnerabilities. 67 percent had vulnerabilities in their open source components. It’s unsurprising that a company that makes money finding vulnerabilities in enterprise codebases should publish findings of this nature, but it should give every company that uses open source components pause for thought. The problem becomes particularly pointed in the FinTech space, where 62 percent of applications have high-risk vulnerabilities. The eCommerce space is even worse, with 83 percent of applications containing high-risk vulnerabilities.
Does that mean we should stop using open source software? Absolutely not. Open source represents enormous value to businesses and developers. The startup ecosystem would be radically different without open source software — imagine if every web application developer had to start from scratch or invest up-front in proprietary solutions, if every web hosting provider and cloud platform had to pass on the price of a proprietary operating system license to its clients. Open source software enables innovation on a massive scale.
But the report is an indication that business should be circumspect about which open source components they include. It’s all too easy to grab a Node module or open source library without taking the time to check when it was updated, whether the project regularly closes issues, and how it handles reports of security vulnerabilities.
Open source software projects are started and abandoned for many different reasons. There are probably more orphaned open source projects than projects under active development. But a major benefit of open source is that development is carried out in public and the code is open to scrutiny. Developers can see how well-maintained projects are. It’s unreasonable to expect that every line of a complex open source project is checked before it’s used, but companies should at the very least satisfy themselves that when vulnerabilities are found, they’re promptly fixed.
However, patches are of no benefit if they’re never applied. Companies that use open source software in their applications have a responsibility to implement effective patch management processes. They must have a clear understanding of which open source code is in their applications, and monitor projects for security news and new releases. Of course, the process and consequences are exactly the same as with proprietary software: update or expose your company and its users to the risk of unmatched vulnerabilities.