This article is part of the TechXchange: Cybersecurity
What you’ll learn
- What types of vulnerabilities exist in open-source software?
- What licensing issues are affecting application development?
Synopsys is in the software business and safety and security are areas that the company focuses on.
This year’s annual 2022 Open Source Security and Risk Analysis (OSSRA) report, which you can download, has good and bad things to disclose. The results were based on an audit of 2,409 open-source projects. Many of the issues and observations will be applicable to closed-source solutions as well, but a significant amount of software now depends on open-source support.
The general trend indicates the overall open-source codebase vulnerability is dropping (Fig. 1). There was a 3% decrease in high-risk vulnerabilities per codebase. Unfortunately, “88% of the codebases contained components that had no new development in the past two years, and these were behind in user updates.”
Overall, almost 80% of the codebases were open source and almost the same percentage had at least one vulnerability (Fig. 2). Likewise, a significant number of projects experienced licensing issues. This is often due to the different licenses that are associated with components in an open-source project. A license that covers an application must take into consideration the licenses and limitations of its components.
The report lists the top 10, which include errors like incorrect cryptographic algorithms (CVE-2020-187) and default permissions issues (CVE0-202-8022). The report runs down the CVE numbers as well as Synopsys’s Black Duck Security Advisories (BSDA).
Security, and hence safety, problems continue to plague the software industry. Problems like log4j’s security issue are commonplace and can affect a large number of developers and products because of the widespread use of open-source software, whose maintenance and design is often nebulous.
The advantage of open-source software is availability. The challenge is its quality and maintenance. As noted in Robert Heinlein’s science fiction novel, The Moon is a Harsh Mistress, there’s no such thing as a free lunch (TINSTAAFL).
Certain tools and services can greatly improve the support and maintenance of open-source software. This includes license tracking and management, which can be difficult when a variety of licenses cover different software components.
Read more articles in the TechXchange: Cybersecurity