The Percentage of Open Source Code in Proprietary Apps is Rising

Zeljka Zorz, writing for Help Net Security: The number of open source components in the codebase of proprietary applications keeps rising and with it the risk of those apps being compromised by attackers leveraging vulnerabilities in them, a recent report has shown. Compiled after examining the findings from the anonymized data of over 1,100 commercial codebases audited in 2017 by the Black Duck On-Demand audit services group, the report revealed two interesting findings:

96 percent of the scanned applications contain open source components, with an average 257 components per application. The average percentage of open source in the codebases of the applications scanned grew from 36% last year to 57%, suggesting that a large number of applications now contain much more open source than proprietary code.

Re:So, let me get this straight.

[NFN_NLN]

Open source and security

Open source is neither more nor less secure than custom code, the analysts noted, but there are certain characteristics of open source that make vulnerabilities in popular components very attractive to attackers.

The main one is that, unlike commercial software, where updates are automatically pushed to users, open source has a pull support model, meaning that users are responsible for keeping track of vulnerabilities, fixes, and updates for the open source they use.

“Open source can enter codebases through a variety of ways, not only through third-party vendors and external development teams but also through in-house developers. If an organization is not aware of all the open source it has in use, it can’t defend against common attacks targeting known vulnerabilities in those components, and it exposes itself to license compliance risk,” the analysts added.

Re:"average 257 components per application."

[Luthair]

Its called modular software development, perhaps you should look into it? While its true that NPM has had a lot of dependencies that do trivial things that isn't really true for most Java libraries.

Re:Open sores?

[jellomizer]

The open source security model works fine for an open source model.
The closed source security model works fine for a closed source model.
Mixing them is where the problems come up.

The open source model works because when a flaw is found it can be fixed and pushed... Except when it is in a closed source app, so such fixes cannot be put in until the company decides to do the fix. Where it wasn't there code they may be less willing to do that.

The closed source model relies on the fact that problems are harder to find, allowing closed source apps to get away with flaws and giving them time to fully fix and patch the systems before it goes too far.

When you mix them. Such as closed source tools in an open source app then if a closed source problem is found, the open source app doesn't have a way to fix it, but it is public that they are using that tool. And a closed source app using an open source plugin, means there are a lot of eyes that know which particular flaw they can use.

Re:"average 257 components per application."

[Khyber]

"Maybe you should look into "dependency hell", a new special hell for application written in last year or two"

You must be fucking new, because Dependency hell was a thing in the 90s.