OSS scores lower on security compliance: survey

Read time 3min 00sec

No fewer than 16% open source software (OSS) projects score lower for compliance on security critical rules than Webgoat, a deliberately insecure Web application which is maintained by the Open Web Application Security Project to teach Web application security lessons to developers.

This was one of the key findings of new research undertaken by CAST, a global software intelligence company, to evaluate the structural quality of OSS. The 2018 Software Intelligence Report involved 61 different categories of open source projects, made up of 75 000 source files and 8,9 million lines of code.

The analysis scored the different applications for five important structural characteristics - transferability, robustness, changeability, efficiency and security - and compared this to software built in-house or by outsourced teams.

According to Lev Lesokhin, EVP of Strategy and Analytics at CAST and co-author of the report, while the growing popularity and widespread use of OSS in enterprise applications helps developer teams to work faster, this may come at a cost to the robustness, efficiency and security of those applications meant to support business functions.

"It's incredibly important for organisations to have visibility into the quality of OSS that supports business applications. As we saw with the Struts vulnerabilities that exposed Equifax, software flaws in open source components are more easily exploitable by hackers. This report aims to help the communities that build OSS and the organisations that use it," he said.

The research found that OSS is generally better quality than in-house software on four of the five structural characteristics examined. However, when it comes to critical efficiency rules that impact performance and end-user experience, in-house IT systems scored higher.

OSS generally complies better to critical quality rules with analytics and cloud/DevOps OSS scoring highest, followed by blockchain, security and database projects.

On the robustness front, blockchain, cloud/DevOps and programming languages received the highest compliance scores, while database and security projects generally recorded the lowest compliance scores. Blockchain, in particular, was deemed to be extremely robust.

The security compliance results of the survey were intriguing. There were many projects that fared worse on security compliance than the standard bad-security applications.

In fact, some projects - particularly those in the database category - were worse even than all four of the bad apps in the sample examined - Webgoat, Spiracle, Security Shepherd and AltoroJ. Most concerning was the fact that it was blockchain and database apps that received the lowest scores for compliance on security critical rules compared to other project categories. The report's authors acknowledge that these findings are not all definitive vulnerability, but they do denote a serious concern.

When it came to efficiency compliance scores, analytics projects generally received the best compliance scores and, once again, database and blockchain projects scored lowest - and it was these poor ratings that resulted in OSS ranking below in-house on efficiency critical rules.

The research also found that OSS was more maintainable than in-house apps, with far fewer lines of code per file.

See also