I got 257 problems, and they're all open source: Report shines light on Wild West of software

A report on open-source security management and licence compliance may make uncomfortable reading for those who maintain codebases that use the stuff.

The document – produced by Black Duck, which sells services to make sure users are on top of their estate and so has a vested interest here – looked at 1,100 commercial codebases and claimed the results weren't pretty.

Remember Apache Struts? This was the framework left unpatched by Equifax in spite of an alert issued by the US Department of Homeland Security in March 2017. The subsequent data breach will keep lawyers in work for years to come.

The report found 8 per cent of the audited codebases were using Struts and of those, a third still contained the vulnerability. Another 4 per cent of the codebases contained the four-year-old Heartbleed vulnerability.

The bogeyman of the hoarders of personal data, GDPR, also reared its head. Black Duck noted that responsibility for compliance lies not only with auditing one's own code and processes, but also ensuring that any open source in use is also compliant.

Internet of Things (IoT) devices and other hardware using open-source components come in for some stick, with the researchers highlighting connected hardware providing pathways for hackers to get to unexpected places.

While 77 per cent of the audited IoT codebases consisted of open-source components with an average of 677 vulnerabilities per application, a bigger issue is default admin passwords which undermine even the most conscientious of patching regimes.

While closed and open source share much of the same security issues – users need to be aware of what they are dealing with and what requires patching – open source has a particular issue around licensing. The Open Source Initiative alone lists over 80 different licence types and there are many hundreds more.

Of the codebases audited, each were using an average of 257 open-source components. Using a spreadsheet to keep track of the things is a pain in the butt as both team size and component count grows.

Though the report's authors will happily sell you tools to maintain compliance, other options, such as FOSSology, can be pressed into similar service, albeit with a bit more effort.

Black Duck claimed 44 per cent of the audited codebases were found to have GPL licence violations and 85 per cent had either conflicts or components with no licence at all.

The increasing use of open-source components in development may well require changes to procedures and practices. As with traditional closed source, vulnerabilities and security considerations are in need of planning and mitigation, and navigating the array of licence types can be bewildering. This has created a opening for firms like Black Duck to make a buck or two.

Open source, for all its benefits, does not remove the need for developers to know what they are actually using. ®