Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Percentage of Open Source Code in Proprietary Apps is Rising (helpnetsecurity.com)

Posted by msmash on from the where-we-are dept.

Zeljka Zorz, writing for Help Net Security: The number of open source components in the codebase of proprietary applications keeps rising and with it the risk of those apps being compromised by attackers leveraging vulnerabilities in them, a recent report has shown. Compiled after examining the findings from the anonymized data of over 1,100 commercial codebases audited in 2017 by the Black Duck On-Demand audit services group, the report revealed two interesting findings:

96 percent of the scanned applications contain open source components, with an average 257 components per application. The average percentage of open source in the codebases of the applications scanned grew from 36% last year to 57%, suggesting that a large number of applications now contain much more open source than proprietary code.

60 comments

  1. "average 257 components per application." by greenwow · · Score: 5, Insightful

    Sounds like they're using Maven or NPM. Both include a ridiculous number of transitive dependencies.

    1. Re:"average 257 components per application." by Luthair · · Score: 1, Informative

      Its called modular software development, perhaps you should look into it? While its true that NPM has had a lot of dependencies that do trivial things that isn't really true for most Java libraries.

    2. Re:"average 257 components per application." by greenwow · · Score: 2

      Easy for you to say when the output of "mvn dependency:tree -Dverbose" doesn't include over two thousand lines of output.

    3. Re:"average 257 components per application." by Anonymous Coward · · Score: 0, Flamebait

      Maybe you should look into "dependency hell", a new special hell for application written in last year or two, where 10-20 libraries are to be obsoleted in 1-3 years?

      Or maybe "license hell", with developers with absolutely NO CLUE as to wether licenses are rightfully obtained or not, this year or next year, under what conditions.

      Or "security hell"... Ok, leave that to your imagination, if you have one. No you do not have one, but we'll leave you to it!

    4. Re:"average 257 components per application." by Anonymous Coward · · Score: 0

      You're fooling yourself if you think NPM has anything to do with modular software development. I'm in agreement with "dependency hell" guy.

    5. Re:"average 257 components per application." by Khyber · · Score: 3, Informative

      "Maybe you should look into "dependency hell", a new special hell for application written in last year or two"

      You must be fucking new, because Dependency hell was a thing in the 90s.

      --
      Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
    6. Re:"average 257 components per application." by Pseudonym · · Score: 1

      No, most Java dependencies do something large, complex, and buggy, and app developers pull it in anyway to do something that COULD be replaced by a trivial function.

      Though I don't do much mobile programming these days, so for all I know bloated-spyware-framework-in-a-box could be open source now.

      --
      sub f{($f)=@_;print"$f(q{$f});";}f(q{sub f{($f)=@_;print"$f(q{$f});";}f});
    7. Re:"average 257 components per application." by K.+S.+Kyosuke · · Score: 1

      Its called modular software development, perhaps you should look into it?

      It's funny how kinds today have rediscovered Modula-2.

      --
      Ezekiel 23:20
    8. Re:"average 257 components per application." by MouseR · · Score: 1

      Memories. My first commercial product on Mac was in Modula-2 which was kinda big in the late 80s early 90s, until Metcom succumbed to the dark side of C and IDEs to become Metrowerks.

      Back on topic;

      Today, I work for a larger company (celebrated my 20th year there this past October) and it's become progressively harder for our group to include OpenSource products. There are more than one reason why but the biggest hurdle comes from Legal, that has to approve the licenses individually and research the background of the sources to some degree.

      Only a couple of months ago did our iOS group decided to use in-house logging system rather than Apple's Unified Logging APIs and one reason we did this was to be able to control the granularity of the generated logs: Apple's Unified logging requires end-users to Vulcan-Nerve-Pinch their devices to trigger a "sysdiagnostic" core dump, generating 250megs archive that includes not only the current app but the entire loggs, including other software; totally impractical for sending to support and engineering.

      As it turns out, this was the right decision due to the Zuckerberg effect. We now have to have way more scrutiny in what goes in the logs and this is way easier than if we were to deal with a number of open-source code that we would have to merge with our changes.

      Sometimes, we'd love to use open source. But most of the times, it's impractical; at least at the client level, when you have to deal with a large Legal department that oversees what you can/should and can't/shan't do.

    9. Re:"average 257 components per application." by Anonymous Coward · · Score: 0

      You must be fucking new, because Dependency hell was a thing in the 90s.

      It was, but there have been 20 years of development since then.
      The dependency hells that were conceivable back then are nothing compared to what we can achieve today.

      Back then it was unthinkable to have a runtime linked system that automatically pulls in incompatible libraries for you.
      At worst we had hotlinked animated under-construction gifs that would break.

      There have been so much progress since then.

    10. Re:"average 257 components per application." by Khyber · · Score: 1

      "Back then it was unthinkable to have a runtime linked system that automatically pulls in incompatible libraries for you."

      Java existed in 1995. Just saying.

      --
      Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
  2. So, let me get this straight. by Anonymous Coward · · Score: 1

    The fear here is that the open source components in proprietary software is going to open up vulnerabilities?

    Promoting security through obscurity are we?

    WTF is going on here?

    1. Re:So, let me get this straight. by NFN_NLN · · Score: 3, Informative

      Open source and security

      Open source is neither more nor less secure than custom code, the analysts noted, but there are certain characteristics of open source that make vulnerabilities in popular components very attractive to attackers.

      The main one is that, unlike commercial software, where updates are automatically pushed to users, open source has a pull support model, meaning that users are responsible for keeping track of vulnerabilities, fixes, and updates for the open source they use.

      “Open source can enter codebases through a variety of ways, not only through third-party vendors and external development teams but also through in-house developers. If an organization is not aware of all the open source it has in use, it can’t defend against common attacks targeting known vulnerabilities in those components, and it exposes itself to license compliance risk,” the analysts added.

    2. Re:So, let me get this straight. by laurencetux · · Score: 1

      if you don't "reinvent the wheel" make sure that you use a GOOD WHEEL.

      also if like everybody is using the same Lib then a bug in that lib is now a bug in everybody's application.

    3. Re:So, let me get this straight. by Anonymous Coward · · Score: 0

      The fear (assuming there really is some fear) is that the efficiency of code reuse comes with the security downside of monoculture. Proprietary implementations aren't so much offering "security through obscurity" as "security through diversity." Proprietary software avoids code reuse by not being as reusable.

    4. Re:So, let me get this straight. by Anonymous Coward · · Score: 1

      Meh, humbug scare piece full of broken logic and lies.

      commercial software, where updates are automatically pushed to users, open source has a pull support model

      Really? Since when does developers automatically get their components updated and push them out to their clients? All these old versions of running around the place because "critical application X needs that particular version" would seem to indicate otherwise. And open source has a pull support? Yeah, you pull your updates along with all the other updates, as opposed to certain commercial software which shall go unnamed, where you have to hunt down dozens of various more or less suspect websites in order to download your executable updates to bring your system fully up to date.

      This crap "news" is an insult to everyone with >2 working braincells.

    5. Re:So, let me get this straight. by ShanghaiBill · · Score: 2

      unlike commercial software, where updates are automatically pushed to users

      This is nonsense. Most commercial software does NOT automatically push updates to users.

      Also, most commercial updates focus on new features (which people will pay for) rather than bug fixes and security fixes.

    6. Re:So, let me get this straight. by Anonymous Coward · · Score: 0

      Companies are wanting freebies for software components to make more profit, and then "blame" open-source for their problems. Example - many devices like cameras actually run some smashed up form of Linux inside, but you the consumer will never know and only rarely be told. Nevermind full access to the code so you can customize your own camera...
      Goes across the board - gadgets like toasters run Linux, maker does not have to pay a cent. Unlike trying to insert Loser10 (MS) or Oh-Dear OS (Apple) - the licensing alone would cripple any profits. And then you may have more Samsung vs Apple resource-wasting lawsuits for decades. Makers skip all that, insert free stuff, and SELL.
      Software the same - grab some free components, bake them in, done. The equivalent "commercial" libraries cost big bucks! And they have just as many holes in the code, but are slower on patching them. So this analysis is just an excuse to attack open source. Likely funded by MS and the gang somewhere in the anonymized background.

    7. Re:So, let me get this straight. by Anonymous Coward · · Score: 0

      open source != magic. commercial distribution of software does not change magically when the code is open source. If so, why would we believe that there is only bad magic and no good magic to balance it out in open source?

    8. Re:So, let me get this straight. by Anonymous Coward · · Score: 0

      All these old versions of running around the place because "critical application X needs that particular version" would seem to indicate otherwise.

      Yet you couldn't even come up with one concrete example.

    9. Re:So, let me get this straight. by Anonymous Coward · · Score: 0

      So this analysis is just an excuse to attack open source.

      No, this is attacking the users of open source software with the fact that it's easier to find bugs in open source software by virtue of having access to the source code but that the users dont necessarily then fix those bugs (either by fixing them themselves or by pulling a patch from somebody else). Bugs are easier to find in open source, but it goes both ways, be that by white or black hat hackers.

      Likely funded by MS and the gang somewhere in the anonymized background.

      MS has become a huge contributor to the open source community in the past couple of years as well as being a significant user of open source in the exact context described here, this would be them attacking themselves.

    10. Re:So, let me get this straight. by Anonymous Coward · · Score: 0

      Much of open source code is security through obscurity anyway, even in the most popular and widely used open source products nobody is really looking at the code, that's how Heartbleed got to be such a big thing. How many people do you think are looking at the lesser used open source projects?

    11. Re:So, let me get this straight. by Khyber · · Score: 0

      Because anyone with at least an arm and an eye could throw a dart at a dartboard and nail a Java-based application 9 times out of 10 that matches the criteria exactly.

      Don't need to come up with concrete examples when the educated among us already had the same thought. You just need to be more educated.

      Back to school for you.

      --
      Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
    12. Re:So, let me get this straight. by Anonymous Coward · · Score: 0

      Still couldn't come up with a concrete example, your patronising weasel words only make you look incompetent.

    13. Re:So, let me get this straight. by nagora · · Score: 1

      Of course, no one has ever found that their audited, secured system has been made vulnerable by a pushed update that had a flaw in it.

      --
      "Encyclopedia" is to "Wikipedia" what "Library" is to "Some people at a bus stop"
    14. Re: So, let me get this straight. by Reverend+Green · · Score: 1

      There are at least two internal applications in my company that fit his description perfectly. This is not unusual. Almost everyone who currently works in software encounters this phenomenon on a regular basis.

      Yet you choose to be petulant and rude. You demand examples, with no awareness of what an answer would imply.

      Do you really expect someone to say, "At my company - X Corp - the Y system depends on an old, known-insecure version of package Z"?

        It's obvious you have no idea what you are talking about. Go back to Reddit.

    15. Re: So, let me get this straight. by Anonymous Coward · · Score: 0

      No this is precisely what I am highlighting, the reason you cant come up with concrete examples is because they are not present in the broad industry but in your company's poorly developed and unmaintained internal applications. This problem is isolated to companies with bad internal practises like yours and you're projecting this onto the industry as a whole, which is wrong. If you have this problem with your internal software and systems that is your responsibility to deal with and is not a problem for the industry to address for you.

    16. Re: So, let me get this straight. by Reverend+Green · · Score: 1

      Ooooooookay, suuuuuure. Keep saying that, and maybe someone will believe you. I've worked with a lot of different client companies. Big, small, new, old - they all had this issue.

      Maybe you'd like to suggest a company that is blessedly free of all dependencies on obsolete software? I'm very curious to know who they are.. just in case I've seen their systems.

      Where do you see me, or anyone else here, asking "the industry" to address this issue? You don't, because you made that up. Because you like to hear the sound of your own voice. The problem is an accounting and management culture issue at the root. It's easy enough to fix, just needs resources allocated.

      I don't know what axe you're grinding. Care to elaborate?

    17. Re:So, let me get this straight. by Khyber · · Score: 1

      "Still couldn't come up with a concrete example, your patronising weasel words only make you look incompetent."

      No, you apparently failed to understand what I said, so no, you're the incompetent one, as I gave an example, actually by a percentage. 9 out of 10 Java-written programs. The only Java programs that don't suffer are the ones that get compiled with something like Excelscior-JET so everything required is contained within the binary and isn't dependent upon external libraries which may or may not get a proper update.

      You are also demonstrating that you've got zero actual coding experience. Every programming language has dependency problems.

      Back to school for you, child.

      --
      Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
  3. Open sores? by mi · · Score: 0

    The number of open source components in the codebase of proprietary applications keeps rising and with it the risk of those apps being compromised by attackers leveraging vulnerabilities in them

    This has been the argument against open source for over 25 years — and it has been debunked for about that long... Are we really reading this again in 2018? Why is this FUD even on Slashdot's front page?

    --
    In Soviet Washington the swamp drains you.
    1. Re:Open sores? by jellomizer · · Score: 3, Informative

      The open source security model works fine for an open source model.
      The closed source security model works fine for a closed source model.
      Mixing them is where the problems come up.

      The open source model works because when a flaw is found it can be fixed and pushed... Except when it is in a closed source app, so such fixes cannot be put in until the company decides to do the fix. Where it wasn't there code they may be less willing to do that.

      The closed source model relies on the fact that problems are harder to find, allowing closed source apps to get away with flaws and giving them time to fully fix and patch the systems before it goes too far.

      When you mix them. Such as closed source tools in an open source app then if a closed source problem is found, the open source app doesn't have a way to fix it, but it is public that they are using that tool. And a closed source app using an open source plugin, means there are a lot of eyes that know which particular flaw they can use.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    2. Re:Open sores? by mi · · Score: 2

      Except when it is in a closed source app, so such fixes cannot be put in until the company decides to do the fix

      The same problem exists in open-source world too. Tons of packages bundle other packages inside. This is such a pervasive problem, FreeBSD, for example, has a special page instructing porters to fight it — and many still don't...

      OpenOffice used to be the worst offender, bundling just about everything (python, libxml, boost, xmlsec — you name it). Firefox and Thunderbird continue to bundle their own jpeg, nspr and nss, vpx, vorbis and ogg, zlib and bz2, ICU an graphite2, harfbuz — something, a building system needs to patiently overwrite with --with-system-foo for every "foo".

      There is nothing to lose from mixing open- and closed-source. The more of the former, the better. Moreover, the sole reason the latter even exists is to protect proprietary secrets from competitors. Including, as so often happens, the secret of how bad it is...

      The closed source model relies on the fact that problems are harder to find

      Yeah, this is known as the infamous "security through obscurity". It may be harder to find for a script-kiddie — who would not find it in an open-source package either — but not for dedicated professionals, who research exploits for a living and sell them to the highest-bidders.

      You may think you have time to fix your code and ship an update, but you really don't. And, if you are a customer, you are completely at the vendor's mercy — without the source code, you can't fix it yourself.

      --
      In Soviet Washington the swamp drains you.
    3. Re:Open sores? by Kjella · · Score: 3, Insightful

      This has been the argument against open source for over 25 years â" and it has been debunked for about that long... Are we really reading this again in 2018? Why is this FUD even on Slashdot's front page?

      It's been debunked in open source software, but there are many ancient and abandoned versions of open source libraries in closed source software, either because nobody takes responsibility or they're relying on some deprecated API or custom modifications. Which is a pretty big risk when an exploit is found in the current code base, that library will get rebuilt and pushed out to Linux distributions but not your average random COTS software. But they seem to be pushing for Win10-style force fed updates, whether you like it or not. I suppose it's necessary for idiots who refuse to patch and become part of the latest botnet, but keep that far away from me...

      --
      Live today, because you never know what tomorrow brings
    4. Re:Open sores? by Anonymous Coward · · Score: 0

      The open source model works because when a flaw is found it can be fixed and pushed... Except when it is in a closed source app, so such fixes cannot be put in until the company decides to do the fix.

      You mean 3rd parties can fix vulnerabilities in open source code, but when you look at the vast array of active projects on github and sourceforge the average number of contributors to projects is 1-2. It's nice in theory but there's no real evidence to support that it happens in practise.

    5. Re:Open sores? by Anonymous Coward · · Score: 0

      The closed source model relies on the fact that problems are harder to find

      The Linux kernel is open source, yet one of the most effective ways of finding problems is one that doesn't care about source at all. It's called "fuzzing", and involves feeding the kernel random garbage and seeing how it handles it.

      But that's just finding the problems. Fixing them is of course a lot easier with source. So it would have been more correct to say that "the closed source model relies on the fact that problems are harder to fix".

    6. Re: Open sores? by Reverend+Green · · Score: 1

      Sounds like the main problem is companies that are too cheap, lazy, and/or incompetent to update their proprietary shitware.

  4. Suggesting... by El+Cubano · · Score: 4, Insightful

    The average percentage of open source in the codebases of the applications scanned grew from 36% last year to 57%, suggesting ...

    ... that there is an increasing likelihood that the audited code bases contain more code that has received an independent peer review of some sort. Whereas, the remaining proprietary almost certainly has not received independent peer review.

    The article itself contains this bit:

    ... unlike commercial software, where updates are automatically pushed to users, open source has a pull support model, meaning that users are responsible for keeping track of vulnerabilities, fixes, and updates for the open source they use.

    That makes me wonder about some things. The article is supposedly about proprietary apps, not proprietary components. If I, as a commercial software developer, license a commercial library for something, the vendor of that library does not "push" updates into my code base. I still have to decide to upgrade (assuming my maintenance contract is current and I have that option).

    Also, they don't bother to specify whether their audit accounts for whether the developer is using the code under an open source or a commercial license. For example, Java can be used open source (as in OpenJDK) or via a commercially supported license from Oracle. They also mention license compliance risk, which is yet another red herring. Commercially licensed components also carry a compliance risk with them.

    This just seems like yet another article trying to scare engineering and development managers into purchasing the services of audit and compliance outfits. Or, put another way, nothing to see here.

    1. Re:Suggesting... by Actually,+I+do+RTFA · · Score: 1

      that there is an increasing likelihood that the audited code bases contain more code that has received an independent peer review of some sort. Whereas, the remaining proprietary almost certainly has not received independent peer review.

      True, but, given what I've seen, it's not uncommon to import tens of thousands of lines of code to access one function. Definitely there is a wider attack surface.

      --
      Your ad here. Ask me how!
    2. Re: Suggesting... by Anonymous Coward · · Score: 0

      But then if your code only uses that one function then you are not hit by an exploit in one of these thousands of dependencies.

    3. Re: Suggesting... by Actually,+I+do+RTFA · · Score: 1

      For compiled code, sure. For JS/PHP/etc all the code is there (and possibly malconfigured.)

      --
      Your ad here. Ask me how!
    4. Re:Suggesting... by Anonymous Coward · · Score: 0

      Or they could be talking about licenses such as Creative Commons Share Alike 3.0, AGPL, Non-Commercial Usage, and any other number of Open Source Licenses that actually exclude commercial terms or aim for releasing source code.

  5. GPLv4 by Anonymous Coward · · Score: 0, Interesting

    Eventually the GPL will require that any closed source program that exec's a GPL'd piece of software to be also released as open source.

    1. Re:GPLv4 by Anonymous Coward · · Score: 2, Insightful

      Open Source != GPL. A lot of the software mentioned here very well could be more permissive license. Consider how much software uses OpenSSL(and usually packages their own version with it).

  6. Also huge selection bias by raymorris · · Score: 4, Insightful

    When you know, or think, that your application has some open source code in it, you use Black Duck to catalog the open source code.

    When you wrote an application yourself and know you didn't use open source code, you don't go paying Black Duck to tell you what you already know.

    Of course most codebases that people use Black Duck on have open source code - that's what Black Duck is for, listing which parts are OSS. It's like saying "96% of people who called Water Leak Locators had a water leak. Well no shit, you don't hire someone to find the water leak unless you think you have a water leak.

    Occasionally, people use Black Duck to show someone else that there isn't OSS code, but normally if you don't have OSS code, you don't need to go looking for what isn't there.

    1. Re:Also huge selection bias by ben_kelley · · Score: 1

      And so reading this article, I'm wondering: If I'm worried about attackers leveraging vulnerabilities in my source code, is there any product I could buy that might help me with this new found concern?

    2. Re:Also huge selection bias by Anonymous Coward · · Score: 0

      When you know, or think, that your application has some open source code in it, you use Black Duck to catalog the open source code.

      When you wrote an application yourself and know you didn't use open source code, you don't go paying Black Duck to tell you what you already know.

      It goes beyond that. When you manage your code well so you already know which parts are open source and which are not, there's no need to use Blackduck. It's basically a tool for companies with loose development practices who don't know what's in their code base.

    3. Re:Also huge selection bias by Anonymous Coward · · Score: 0

      An audit is usually part of a M&A deal, unless you're willing to let the acquiring company look at your code.
      Also, you'd be surprised what is in both Open Source and in closed source software.

    4. Re:Also huge selection bias by Anonymous Coward · · Score: 0

      It's basically a tool for companies with loose development practices who don't know what's in their code base.

      I'm thinking software acquired through mergers or buyouts.

      Sure, you have told management that it will be easier to just rewrite the software from scratch than to sit down and understand their code to a point where you can start modifying it.
      But they paid money for the software so clearly you must be wrong and the software must be very valuable.
      So here we are, with a bunch of software no-one in the company knows anything about. Why not use some tools to at least get an idea of the licensing?

    5. Re:Also huge selection bias by Anonymous Coward · · Score: 0

      Don't be concerned that you're using open-source code. Instead, be concerned if you're using proprietary code - proprietary has much more bug due to fewer developers finding & fixing them.

      This article is merely a sneak attack on open source.

      If the percentage of open stuff in apps is rising, then the risk of "leveraging vulnerabilities" is decreasing, as open-source bugs are easier to get rid of. For example, your developers can fix an open-source bug themselves if it presents a risk to their app. Can't do that with proprietary . . .

  7. Yeah by Anonymous Coward · · Score: 0

    And anyway, how is this News for Nerds?

  8. So this is good, right? by TheDarkener · · Score: 1

    Before open source development was a thing, I imagine every development outfit was an island (unless there were cross-licensing deals in place). Now that there's all this pro-quality open source code floating around, these same types of outfits are "borrowing" it for their own proprietary means at no cost to them.

    I think of a day when proprietary software is looked at with skepticism by default because it is so very likely that it contains this "borrowed" open source code. Most of that will likely be hidden away in the cloud, though, behind a different kind of lock and key.

    We live in technologically interesting times, for sure.

    --
    It is pitch black. You are likely to be eaten by a grue.
  9. give away for free. people steal? by Anonymous Coward · · Score: 0

    who'd have thought?

  10. Attack of the Black Duck open source FUD .. by najajomo · · Score: 0

    "The number of open source components in the codebase of proprietary applications keeps rising and with it the risk of those apps being compromised by attackers leveraging vulnerabilities in them"

    Black Duck, set up by an ex-microsoftie specifically to FUD Open Source software. See more open source fud from Black Duck partner Microsoft. It's sad seeing slashdot reduced to spouting Microsoft propaganda, I'm glad CmdrTaco isn't around to see it.

    1. Re:Attack of the Black Duck open source FUD .. by Luthair · · Score: 1

      Its very odd to me that you'd think it was about FUD. One could make an argument that Black Duck was protecting open source developers from others stealing their work.

      In terms for security these claims really shouldn't be seen as a knock on the quality of OS libraries, the reality is only trivial software can be perfect and pretty much every piece of commercial software has had security vulnerabilities.

    2. Re:Attack of the Black Duck open source FUD .. by Anonymous Coward · · Score: 0

      Really dumb question here... If you release open-source software, to the public, why the fuck would you be concerned about someone 'stealing' it?

      Just seems dumb as fuck to me.

    3. Re:Attack of the Black Duck open source FUD .. by Anonymous Coward · · Score: 0

      Not everyone uses the BSD license

  11. Exploiting other peoples work by Anonymous Coward · · Score: 0

    Most of those open source developers haven't gotten a single dime for their efforts. Which is why you should use the GPL license to prevent closed software from leaching off your work or GPL + proprietary dual licensing to force them to pay you.

    1. Re: Exploiting other peoples work by Reverend+Green · · Score: 0

      GPL is too weak. Use AGPL instead.