Synopsys Study Highlights Core Challenges with Managing Open Source Risk in Software Supply Chains
By : Nata Kesuma | Thursday, April 14 2022 - 22:36 IWST
![Synopsys, Inc. (Nasdaq: SNPS)](https://eagle.industry.co.id/uploads/berita/detail/4842.jpeg)
Synopsys, Inc. (Nasdaq: SNPS)
INDUSTRY.co.id - SINGAPORE – Synopsys, Inc. (Nasdaq: SNPS) today released the 2022 Open Source Security and Risk Analysis (OSSRA) report.
The report, produced by the Synopsys Cybersecurity Research Center (CyRC), examines the results of more than 2,400 audits of commercial and proprietary codebases from merger and acquisition transactions, performed by the Black Duck® Audit Services team.
The report highlights trends in open source usage within commercial and proprietary applications and provides insights to help developers better understand the interconnected software ecosystem. It also details the pervasive risks posed by unmanaged open source, including security vulnerabilities, outdated or abandoned components, and license compliance issues.
The 2022 OSSRA report findings underscore the fact that open source is used everywhere, in every industry, and is the foundation of every application built today.
Outdated open source remains the norm - including presence of vulnerable Log4j versions. From an operational risk/maintenance perspective, 85% of the 2,097 codebases contained open source that was more than four years out-of-date. 88% utilized components that were not the latest available version. 5% contained a vulnerable version of Log4j.
Assessed codebases show open source vulnerabilities are decreasing overall. 2,097 of the assessed codebases included security and operational risk assessments. There was a more dramatic decrease in the number of codebases containing high-risk open source vulnerabilities. 49% of this year’s audited codebases contained at least one high-risk vulnerability, compared to 60% last year. Additionally, 81% of the assessed codebases contained at least one known open source vulnerability, a minimal decrease of 3% from the findings of the 2021 OSSRA.
License conflicts are also decreasing overall. Over half - 53% - of the codebases contained license conflicts, a substantial decrease from the 65% seen in 2020. In general, specific license conflicts decreased across the board between 2020 and 2021.
20% of assessed codebases contained open source with no license or with a customized license. Since a software license governs the right to use it, software with no license presents the dilemma of whether use of the open source component entails legal risk. Additionally, customized open source licenses might place undesirable requirements on the licensee and will often require legal evaluation for possible IP issues or other implications.
“Users of SCA software have focused their attention on reducing open source license issues and addressing high-risk vulnerabilities, and that effort is reflected in the decreases we saw this year in license conflicts and high-risk vulnerabilities, said Tim Mackey, principal security strategist with the Synopsys Cybersecurity Research Center.
“The fact remains that over half of the codebases we audited still contained license conflicts and nearly half still contained high-risk vulnerabilities. Even more troubling was that 88% of the codebases [with risk assessments] contained outdated versions of open source components with an available update or patch that was not applied.”
“There are justifiable reasons for not keeping software completely up-to-date,” Mackey continued. “But, unless an organization keeps an accurate and up-to-date inventory of the open source used in their code, an outdated component can be forgotten until it becomes vulnerable to a high-risk exploit, and then the scramble to identify where it’s being used and to update it is on. This is precisely what occurred with Log4j, and why software supply chains and Software Bill of Materials (SBOM) are such hot topics.”
Read Also
Totolink Strengthens Commitment to Innovative and Reliable Network…
BDDC Inaugurates JST1 TIER IV Data Centre in Jakarta to Strengthen…
MoreLogin, the World's #1 Antidetect Browser, Showcased at Affiliate…
Experts gather in Nanning to support high-quality development of…
Huawei Garners Award from Manpower Ministry as Best Foreign Enterprise…
Today's Industry
![The Board of Directors of PTT Global Chemical (GC) pose for a group photo after receiving the prestigious SNI (Indonesian National Standard) certification for its InnoPlus Polyethylene resin. (Photo: GC Public Relations)](https://eagle.industry.co.id/uploads/berita/small/5780.jpg)
Kamis, 27 Juni 2024 - 15:30 WIB
Global Chemical Achieves Prestigious SNI Certification for InnoPlus Polyethylene Resin
PTT Global Chemical (GC) is proud to announce its successful attainment of the prestigious SNI (Indonesian National Standard) certification for its InnoPlus Polyethylene resin.
![Financial Literacy](https://eagle.industry.co.id/uploads/berita/small/5779.png)
Rabu, 26 Juni 2024 - 22:47 WIB
The Importance of Financial Literacy
Financial literacy refers to the ability to understand and use various financial skills effectively, including personal financial management, budgeting, and investing.
![Unveiling New Opportunities](https://eagle.industry.co.id/uploads/berita/small/5778.png)
Rabu, 26 Juni 2024 - 14:52 WIB
Unveiling New Opportunities
As we step into 2024, the cryptocurrency landscape continues to evolve, presenting unprecedented opportunities for investors, developers, and enthusiasts.
![AI Technology](https://eagle.industry.co.id/uploads/berita/small/5777.png)
Senin, 24 Juni 2024 - 20:07 WIB
The Best AI of 2024: A Comprehensive Guide
Artificial Intelligence (AI) is rapidly changing the world, and 2024 is shaping up to be a year of significant advancements in the field.
![Bali Tourism](https://eagle.industry.co.id/uploads/berita/small/216.jpg)
Senin, 24 Juni 2024 - 19:27 WIB
Discovering Bali: The Ultimate Guide to an Unforgettable Holiday
Bali, known as the Island of the Gods, is a tropical paradise that perfectly blends rich culture, pristine beaches, and lush landscapes.
News Comment