Open source vulnerabilities remain unpatched for decades
Unpatched software vulnerabilities are one of the most serious cyber threats facing organisations around the world today, but it seems many software users remain oblivious to the danger.
A new report reveals an enormous number of identified open source vulnerabilities remain unpatched for 10 years and longer, often because organisations have no idea what open source code they are using.
According to the 2019 Open Source Security and Risk Analysis (OSSRA) report published by Synopsis this week, 43% of codebases scanned in 1 200 audits of commercial applications and libraries by the Black Duck Audit Services team in 2018, contained vulnerabilities that were over 10 years old. The oldest contained a vulnerability first disclosed 28 years before, in 1990.
The report is based on analysis of data from the Synopsys Cyber Security Research Centre's global research labs in Boston, Belfast, Calgary and Oulu, where the OpenSSL vulnerability known as Heartbleed was identified in 2014.
That open source software is widely used was again confirmed in this survey, which found it in more than half of the enterprise codebases analysed in 13 of 17 industries.
On average, the 2018 Black Duck Audits identified 298 open source components per codebase, up from 257 in 2017. In addition, open source represented 60% of all the code analysed in 2018, compared to 57% in the previous year.
Despite this increased use, there was an improvement in the number of codebases found to contain vulnerabilities: 60% in 2018, down from 78% in the previous year.
At the same time, a record number of new open source vulnerabilities were identified during the year, with 7 393 added to the Black Duck KnowledgeBase, compared to 4 800 in 2017.
However, of concern to the report's authors was the fact that the average age of the vulnerabilities identified in the 2018 audits was 6.6 years, slightly higher than in 2017. This indicated remediation efforts had not improved. A significant probability, the report suggests, is that users are not aware of what open source software they are using.
With software developers routinely taking code from open source repositories to embed in their company's products to speed up the development process, saving time and money, manually tracking components, their versions and their vulnerabilities is way beyond the capabilities of most organisations.
The report recommends all organisations invest in an automated solution for identifying and patching known vulnerabilities. "You can't patch software if you don't know you are using it," the authors point out.
The report emphasises that surveys of open source vulnerability should not be regarded as an attack on open source.
"The risk issue is unpatched software, not open source use... Open source is not less secure than proprietary code. But neither is it more secure. All software, be it proprietary or open source, has weaknesses that might become vulnerabilities, which organisations must identify and patch," the OSSRA report states.
It identifies another risk associated with open source, that of "operational risk".
Operational risk arises from the fact that many open source components in use are "abandoned": they do not have a community of developers contributing to, patching or improving them.
Black Duck Audits found 85% of the codebases it examined contained components that were more than four years out-of-date, or had not seen development activity in the last two years.
If a component is inactive and no one is maintaining it that means no one is addressing its potential vulnerabilities, and the potential risk to the organisation using it is vastly increased.