Open-Source has been a much-loved term in recent years, rebelling against the profiteering software companies dominating the industry. Decentralization, rapid development cycles, available to all and often free (well, cheap at least once you factor in maintenance, support, etc.)…what’s not to love?
Well, according to the team at Synopsis, unmanaged open-source code is a potential risk factor for businesses around the world which needs to be identified and mitigated before it becomes a bigger issue. Synopsis, in their white paper on mitigating open source risk, did a survey with 1500+ IT professionals which revealed that an “overwhelming majority” of modern codebases utilize open source software.
You can find the paper at: https://www.synopsys.com/software-integrity/resources/white-papers/navigate-open-source-risk.html
To complete their research, Synopsis audited numerous large systems and found that most of them contained components with known security vulnerabilities and that leaving those unmanaged put them in an increased risk of data breaches, as well as large fines.
A Principal Security Strategy Engineer, who was part of creating the report, noted that the majority of businesses are not tracking and managing their open-source risk well and that it often takes companies 2-3 weeks to install patches. According to the report, this is often due to the lack of automated software composition analysis tools which can keep engineers unaware of new releases.
All of this can leave skilled attackers plenty of time to cause major damage and even bigger financial expenditure.
Moral of the story? Companies should probably look at paying for better management of open-source components in their codebase if they do not want to risk major financial liability.