the state of open source software - flexera · 2019-12-02 · 1 © 2017 flexera software llc. all...

© 2017 Flexera Software LLC. All rights reserved. | Company Confidential1

The State of Open Source SoftwareVulnerability Risks Are On the Rise


Gartner says:THE CHALLENGE

• Flexera M&A audits

reveal OSS and 3rd party

code is 50% - 90% of

base.

• Most organizations

typically know less than

10% of what is actually

used.

95% of IT

organizations

leverage open

source software

(OSS) in critical

applications.


OSS Usage

C-Suite has loosened restrictions

Larger and more complex systems

Use of small packages (Jquery, npm)

Package managers make OSS access easier

Uptick in use of containers and Linux

Software Trends

135221 236 252

454560

18 25 25 29 8 27

2011 2012 2013 2014 2015 2016

Average Disclosed

Based on Flexera research, OSS

use is on the rise due to a changing

software landscape and heightened

awareness.

Average # of OSS libraries per project


Understand code dependencies

Perform deeper analysis of Linux subsystems

Have higher expectations for what is in use

Do greater technical due diligence for M&A

Broaden legal involvement

Higher Usage Requires a More Formal Structure


Usage and Cost of Vulnerabilities Are Up

IOT TAKES DOWN

MAJOR PLAYERS

• Oct 2016 - Thousands of

IoT devices in DDOS attack

• Took down Twitter, Github,

Amazon, and Netflix

• Mirai Linux-based malware

culprit

• Used default passwords to

find devices running Telnet,

attack targets

1M CAMERAS, DVRS

INFECTED

• Bashlite (2014) targets

multiple OSS and

commercial vulnerabilities

including Shellshock

• As of Aug 2016, infected

more than 1,000,000 IoT

devices

• Many devices shared same

chipsets and other

hardware

11-LINE MODULE

WREAKS HAVOC

• March 2016 – Left-pad

removed from NPM by author

in trademark dispute

• Simple string padding function

that anyone can write

• Suddenly thousands of

projects start to fail

• High profile NPM packages

and projects listed Left-pad as

dependency


Vulnerabilities Persist

The top OSS vulnerabilities are going

to have a very long tail, so be aware.

For example, versions exist of OpenSSL

vulnerable to Heartbleed 2+ years after

defect first found.

Heartbleed impact has caused an

increase in reviews of other

important OSS components.

VULNERABILITY

RECOMMENDATIONS

• Perform a health check of code

• Look in common locations for

vulnerable components

• Unexamined codebases of all

types

• Embedded in commercial

libraries, pre-compiled

OSS/RPMs and larger

source-based components

• “Stale” containers or VMs


OSS Compliance

Needs Attention

Libraries Disclosed % Disclosed

2011 135 18 13%

2012 221 25 11%

2013 236 25 11%

2014 252 29 12%

2015 454 8 2%

2016 560 27 4%

Risks of non-compliance have

increased, including accumulation of

technical debt, exposure to security

vulnerabilities and legal issues.

Despite the vulnerability cost,

Flexera research also shows weak

compliance levels, with OSS

disclosure rates plummeting.

3 RECOMMENDATIONS FOR

PROTECTION:1. Initiate best practices as company standard

2. Engage with OSS community & copyright

holders

3. Provide notices & source bundles


Who’sWatching

Compliance

With disclosure rates at

such low levels, it’s

important to realize there

are organizations to help

educate on compliance.

Software Freedom Conservancy

sfconservancy.orgHelps promote, improve, develop, and

defend Free, Libre and OSS projects.

GPL Violations

gplviolations.orgRaises public awareness of

infringement, giving users a way to

report violations to copyright holders

and assists copyright holders in action

against infringing organizations.


OSS and Software in 2017

Software development has been undergoing

fundamental change due to OSS, and will

continue.For example, project size is much greater now –

500K to 1M files are common, not anomalies.

Did you know?

• SaaS teams are “gluing not coding” – hundreds to thousands

of OSS libraries, low line count

• Repository Managers pull in source code from Internet

- Maven [Java], Ruby Gems [Ruby], Nuget [C#, C/C++],

Javascript / Node.js, Yarn

• Linux, Containers and LKM / Disk images are coming in scope,

especially in OpenStack/Embedded


OSS and Hardware

in 2017 KEEP TOP OF MIND

• Chips, SDKs, SoC

• Classic uBoot/Linux Kernel/Busybox

• Cheap Android tablets still #1 public violator

• Home-rolled distributions for Linux for embedded systems

• Automotive distribution with license and security issues

• Hidden VMs and containers

These areas are emerging and warrant

monitoring.

• IoT-related audits and customers

• Cheap devices ($2) with low or NO OSS compliance

• Wifi, Bluetooth, BLE with little memory/flash available

• Single files and single routines with no attention paid

to license

Hardware is now a main focus of GPL

compliance due to strong

dependencies on Linux.


6 Top Compliance

Trends for 2017

1. Source analysis of key OSS binaries is increasing

2. Oracle identified this as #1 concern for most companies

3. Hot button compliance (GPL, LGPL) is on their radar

4. Unlicensed code generally continues to be a challenge

5. P2/P3 compliance (MIT, Apache) is an issue

6. Patent royalties for multimedia often a surprise

Companies have made strides, but there is

a long way to go for full compliance.


To learn more about Open Source Software

trends and best practices, check out:Webinar: The State of Open Source Software (OSS): 2016 Year in Review

https://info.flexerasoftware.com/SCA-SWM-WBNR-State-Of-Open-Source-Software

https://info.flexerasoftware.com/SCA-SWM-WBNR-State-Of-Open-Source-Software

the state of open source software - flexera · 2019-12-02 · 1 © 2017 flexera software llc. all...

Documents