While many developers rely on open-source components, they may not be keeping ahead of the game when bugs are discovered.
Open-source projects have long proved a boon for software developers at large, but new research suggests that their use can compromise application security.
According to researchers from Black Duck Software, in the firm's 2017 Open Source Security and Risk Analysis (OSSRA) report, there are "significant cross-industry risks" in the use of open-source software; namely, vulnerabilities found in such software and components are not being addressed as they should.
The Burlington, MA-based firm says that due to lax security practices, this also presents a challenge for compliance -- and the results of the audit report should be a "wake-up call" for developers.
The new research includes audits of over 1,000 applications commonly used by the enterprise throughout 2016. In total, 96 percent of the apps included open-source components, and over 60 percent of the apps contained open-source security vulnerabilities -- some of which were over four years old.
Open-source software and components are valuable to the average developer as they can reduce development costs, increase the speed of getting products to market and boost innovation.
However, these projects rely on communities of developers using their talents for free, and sometimes, bugs can be missed.
Should an open-source component containing a vulnerability then make its way into third-party products, this, in turn, increases potential attack vectors and exposure which can compromise apps and software.
When bugs are discovered, such as Heartbleed -- an exploitable vulnerability in a component of OpenSSL -- vendors are responsible for patching these issues, but the report suggests that many companies have a lack of visibility into their own applications and just how much they rely on open-source components.
One of the most dangerous consequences of lax practices can be found within the financial industry. The researchers discovered security flaws in banking apps which contained 52 open-source vulnerabilities per app on average. In total, 60 percent of these applications contained bugs which are considered critical.
In addition, the retail and e-commerce industry has the highest proportion of applications with high-risk vulnerabilities, with a total of 83 percent of audited applications containing critical issues caused by the use of open-source components which were unpatched.
See also: HackerOne gives professional services away for free to open source projects
When open-source licensing conflicts were involved, this problem was widespread throughout the audit.
Over 85 percent of the applications in the audit contained open-source components with licensing "challenges," such as intellectual property right disparities -- including conflicting copyleft or permissive licenses (.PDF), uses and distribution rights, and compliance rule issues which are meant to protect the rights of the developers that have worked on the free components.
"Everyone is using lots of open-source, but as the audits show, very few are doing an adequate job detecting, remediating and monitoring open-source components and vulnerabilities in their applications," said Chris Fearon, Director of Black Duck's Open Source Security Research Group.
"The results of the COSRI analysis clearly demonstrate that organizations in every industry have a long way to go before they are effective managing their open source," Fearon added.