The Percentage of Open Source Code in Proprietary Apps is Rising

Zeljka Zorz, writing for Help Net Security: The number of open source components in the codebase of proprietary applications keeps rising and with it the risk of those apps being compromised by attackers leveraging vulnerabilities in them, a recent report has shown. Compiled after examining the findings from the anonymized data of over 1,100 commercial codebases audited in 2017 by the Black Duck On-Demand audit services group, the report revealed two interesting findings:

96 percent of the scanned applications contain open source components, with an average 257 components per application. The average percentage of open source in the codebases of the applications scanned grew from 36% last year to 57%, suggesting that a large number of applications now contain much more open source than proprietary code.

"average 257 components per application."

[greenwow]

Sounds like they're using Maven or NPM. Both include a ridiculous number of transitive dependencies.

Suggesting...

[El+Cubano]

The average percentage of open source in the codebases of the applications scanned grew from 36% last year to 57%, suggesting ...

... that there is an increasing likelihood that the audited code bases contain more code that has received an independent peer review of some sort. Whereas, the remaining proprietary almost certainly has not received independent peer review.

The article itself contains this bit:

... unlike commercial software, where updates are automatically pushed to users, open source has a pull support model, meaning that users are responsible for keeping track of vulnerabilities, fixes, and updates for the open source they use.

That makes me wonder about some things. The article is supposedly about proprietary apps, not proprietary components. If I, as a commercial software developer, license a commercial library for something, the vendor of that library does not "push" updates into my code base. I still have to decide to upgrade (assuming my maintenance contract is current and I have that option).

Also, they don't bother to specify whether their audit accounts for whether the developer is using the code under an open source or a commercial license. For example, Java can be used open source (as in OpenJDK) or via a commercially supported license from Oracle. They also mention license compliance risk, which is yet another red herring. Commercially licensed components also carry a compliance risk with them.

This just seems like yet another article trying to scare engineering and development managers into purchasing the services of audit and compliance outfits. Or, put another way, nothing to see here.

Also huge selection bias

[raymorris]

When you know, or think, that your application has some open source code in it, you use Black Duck to catalog the open source code.

When you wrote an application yourself and know you didn't use open source code, you don't go paying Black Duck to tell you what you already know.

Of course most codebases that people use Black Duck on have open source code - that's what Black Duck is for, listing which parts are OSS. It's like saying "96% of people who called Water Leak Locators had a water leak. Well no shit, you don't hire someone to find the water leak unless you think you have a water leak.

Occasionally, people use Black Duck to show someone else that there isn't OSS code, but normally if you don't have OSS code, you don't need to go looking for what isn't there.

Re:GPLv4

Open Source != GPL. A lot of the software mentioned here very well could be more permissive license. Consider how much software uses OpenSSL(and usually packages their own version with it).

Re:Open sores?

[Kjella]

This has been the argument against open source for over 25 years â" and it has been debunked for about that long... Are we really reading this again in 2018? Why is this FUD even on Slashdot's front page?

It's been debunked in open source software, but there are many ancient and abandoned versions of open source libraries in closed source software, either because nobody takes responsibility or they're relying on some deprecated API or custom modifications. Which is a pretty big risk when an exploit is found in the current code base, that library will get rebuilt and pushed out to Linux distributions but not your average random COTS software. But they seem to be pushing for Win10-style force fed updates, whether you like it or not. I suppose it's necessary for idiots who refuse to patch and become part of the latest botnet, but keep that far away from me...