the state of open source software - flexera · 2019-12-02 · 1 © 2017 flexera software llc. all...
TRANSCRIPT
© 2017 Flexera Software LLC. All rights reserved. | Company Confidential1
The State of Open Source SoftwareVulnerability Risks Are On the Rise
© 2017 Flexera Software LLC. All rights reserved. | Company Confidential2
Gartner says:THE CHALLENGE
• Flexera M&A audits
reveal OSS and 3rd party
code is 50% - 90% of
base.
• Most organizations
typically know less than
10% of what is actually
used.
95% of IT
organizations
leverage open
source software
(OSS) in critical
applications.
© 2017 Flexera Software LLC. All rights reserved. | Company Confidential3
OSS Usage
C-Suite has loosened restrictions
Larger and more complex systems
Use of small packages (Jquery, npm)
Package managers make OSS access easier
Uptick in use of containers and Linux
Software Trends
135221 236 252
454560
18 25 25 29 8 27
2011 2012 2013 2014 2015 2016
Average Disclosed
Based on Flexera research, OSS
use is on the rise due to a changing
software landscape and heightened
awareness.
Average # of OSS libraries per project
© 2017 Flexera Software LLC. All rights reserved. | Company Confidential4
Understand code dependencies
Perform deeper analysis of Linux subsystems
Have higher expectations for what is in use
Do greater technical due diligence for M&A
Broaden legal involvement
Higher Usage Requires a More Formal Structure
© 2017 Flexera Software LLC. All rights reserved. | Company Confidential5
Usage and Cost of Vulnerabilities Are Up
IOT TAKES DOWN
MAJOR PLAYERS
• Oct 2016 - Thousands of
IoT devices in DDOS attack
• Took down Twitter, Github,
Amazon, and Netflix
• Mirai Linux-based malware
culprit
• Used default passwords to
find devices running Telnet,
attack targets
1M CAMERAS, DVRS
INFECTED
• Bashlite (2014) targets
multiple OSS and
commercial vulnerabilities
including Shellshock
• As of Aug 2016, infected
more than 1,000,000 IoT
devices
• Many devices shared same
chipsets and other
hardware
11-LINE MODULE
WREAKS HAVOC
• March 2016 – Left-pad
removed from NPM by author
in trademark dispute
• Simple string padding function
that anyone can write
• Suddenly thousands of
projects start to fail
• High profile NPM packages
and projects listed Left-pad as
dependency
© 2017 Flexera Software LLC. All rights reserved. | Company Confidential6
Vulnerabilities Persist
The top OSS vulnerabilities are going
to have a very long tail, so be aware.
For example, versions exist of OpenSSL
vulnerable to Heartbleed 2+ years after
defect first found.
Heartbleed impact has caused an
increase in reviews of other
important OSS components.
VULNERABILITY
RECOMMENDATIONS
• Perform a health check of code
• Look in common locations for
vulnerable components
• Unexamined codebases of all
types
• Embedded in commercial
libraries, pre-compiled
OSS/RPMs and larger
source-based components
• “Stale” containers or VMs
© 2017 Flexera Software LLC. All rights reserved. | Company Confidential7
OSS Compliance
Needs Attention
Libraries Disclosed % Disclosed
2011 135 18 13%
2012 221 25 11%
2013 236 25 11%
2014 252 29 12%
2015 454 8 2%
2016 560 27 4%
Risks of non-compliance have
increased, including accumulation of
technical debt, exposure to security
vulnerabilities and legal issues.
Despite the vulnerability cost,
Flexera research also shows weak
compliance levels, with OSS
disclosure rates plummeting.
3 RECOMMENDATIONS FOR
PROTECTION:1. Initiate best practices as company standard
2. Engage with OSS community & copyright
holders
3. Provide notices & source bundles
© 2017 Flexera Software LLC. All rights reserved. | Company Confidential8
Who’sWatching
Compliance
With disclosure rates at
such low levels, it’s
important to realize there
are organizations to help
educate on compliance.
Software Freedom Conservancy
sfconservancy.orgHelps promote, improve, develop, and
defend Free, Libre and OSS projects.
GPL Violations
gplviolations.orgRaises public awareness of
infringement, giving users a way to
report violations to copyright holders
and assists copyright holders in action
against infringing organizations.
© 2017 Flexera Software LLC. All rights reserved. | Company Confidential9
OSS and Software in 2017
Software development has been undergoing
fundamental change due to OSS, and will
continue.For example, project size is much greater now –
500K to 1M files are common, not anomalies.
Did you know?
• SaaS teams are “gluing not coding” – hundreds to thousands
of OSS libraries, low line count
• Repository Managers pull in source code from Internet
- Maven [Java], Ruby Gems [Ruby], Nuget [C#, C/C++],
Javascript / Node.js, Yarn
• Linux, Containers and LKM / Disk images are coming in scope,
especially in OpenStack/Embedded
© 2017 Flexera Software LLC. All rights reserved. | Company Confidential10
OSS and Hardware
in 2017 KEEP TOP OF MIND
• Chips, SDKs, SoC
• Classic uBoot/Linux Kernel/Busybox
• Cheap Android tablets still #1 public violator
• Home-rolled distributions for Linux for embedded systems
• Automotive distribution with license and security issues
• Hidden VMs and containers
These areas are emerging and warrant
monitoring.
• IoT-related audits and customers
• Cheap devices ($2) with low or NO OSS compliance
• Wifi, Bluetooth, BLE with little memory/flash available
• Single files and single routines with no attention paid
to license
Hardware is now a main focus of GPL
compliance due to strong
dependencies on Linux.
© 2017 Flexera Software LLC. All rights reserved. | Company Confidential11
6 Top Compliance
Trends for 2017
1. Source analysis of key OSS binaries is increasing
2. Oracle identified this as #1 concern for most companies
3. Hot button compliance (GPL, LGPL) is on their radar
4. Unlicensed code generally continues to be a challenge
5. P2/P3 compliance (MIT, Apache) is an issue
6. Patent royalties for multimedia often a surprise
Companies have made strides, but there is
a long way to go for full compliance.
© 2017 Flexera Software LLC. All rights reserved. | Company Confidential12
To learn more about Open Source Software
trends and best practices, check out:Webinar: The State of Open Source Software (OSS): 2016 Year in Review