- About 70% of cybersecurity relies on open source as opposed to proprietary code, according to Synopsys' findings from more than 1,200 commercial codebases across industries audited in 2018.
- The research found 99% of the scanned codebases had more than 1,000 files containing open source components. There were nearly 300 open source components per codebase in 2018, an uptick from 257 components in 2017.
- While the open source community does "an exemplary job" deploying patches, a lot of companies don't apply them or track them. But the report cites some good news. Audited applications showed 60% had vulnerabilities in 2018, compared to 78% in 2017.
Bad actors depend on the popularity of open source, making it a prime target for exploiting known vulnerabilities. Attackers look for organizations neglecting timely fixes.
Equifax's historic data breach was the result of an unpatched vulnerability on a website application. The patch was available for two months prior to exploitation of the security hole. The WannaCry attack in May 2017 spread because of a weakness in Windows 7 software, which users were informed of before the attack.
Unlike subscription-based software, proprietary and open source code demand attention because fixes are not automatically deployed. Companies require an accurate inventory of versions and components of their open source software to accurately apply patches. Still, security is improving in open source use.
There's a heightened awareness that companies rely on software in every department. In an effort to make tasks and processes easier, non-technical employees often deploy unsanctioned and unaccounted for software applications. While their DIY approach is understandable, it comes with consequences.
The added layer of the cloud makes this deployment easier for companies, but now thousands of pieces of software can run on the cloud or on-premise systems. The software is usually a combination of off-the-shelf packages, open source software and custom-built codebases, according to the report.