Of the 1,703 codebases scanned by Synopsys in 2022, 96 percent of codebases included some sort of open source software component, according to the 2023 Open Source Security and Risk Analysis (OSSRA) report. However, 87 percent of codebases also included security and operational risk assessments.
Specifically,
- 91% of codebases contained components that had received no new development in the past two years.
- 89% contained open source more than four years out of date.
- 54% had license conflicts.
- 48% contained high-risk vulnerabilities.
- 31% contained open source with no license or a custom license.
The report, which includes guidance to help reduce security risks, says managing the open source and third-party code in your applications is key. “If you can’t effectively manage and ensure the security of your open source and third-party software, no other efforts made toward securing your supply chain will work — or frankly, even matter. Managing this software entails gaining complete visibility into your dependencies…”
“In the fight against software supply chain attacks,” the report notes, “an SBOM should be your weapon of choice.” This means creating a “comprehensive inventory of all software a business uses, regardless of where it comes from or how it's acquired.”
Read the complete report for more details.
Looking for a job?
Check out the latest job listings at Open Source JobHub.
Comments