So You Think Your Open Source Software is Good?

I bet there is a large chunk of the folks reading this that will say that we don’t use open source software.

And then there is another large chunk that says we’re good; all up to date.

My guess is that both of these statements are wrong.

Synopsys did a study and found these two inter-related statistics:

99% of commercial software programs examined included at least one open-source component, so those of you who checked the first statement, unless you are part of the 1%, are wrong.

91% of those commercial software products contained OUT OF DATE or ABANDONED open-source code. So those of you you checked the second statement – you, too, are likely wrong.

I know you are probably tired of me beating on the software bill of materials drum, but I will keep doing it until the problem is fixed.

Synopsys says that of the 1,250+ software codebases that they reviewed, 91% contained components that were either more than FOUR YEARS OUT OF DATE or had seen NO DEVELOPMENT ACTIVITY IN THE LAST TWO YEARS.

Basically, we are making it very easy for the hackers to break in. Do you think that the code that is four years out of date had no bugs in it four years earlier? That doesn’t count the code that is three years out of date or two years out of date.

If hackers weaponize patches within 7 days of release on average, what do you think happens with code that is 4 years out of date?

This audit was of commercial software. Open source software is likely just as bad.

75% of the audited codebases included open source components with KNOWN VULNERABILITIES.

What could possibly go wrong?

49% contained HIGH RISK vulnerabilities.

Part of your vendor risk analysis needs to include auditing whether the vendor has a secure software development process and whether they have a software bill of materials management process.


What is the likelihood that all of your vendors – including cloud vendors – are in that one percent?

I’d say the likelihood is zero percent. Credit: ZDNet

Leave a Reply

Your email address will not be published. Required fields are marked *