Open Source Security & Risk Analysis 2017: Industry Vulnerabilities Revealed | GBAF

Open Source Security & Risk Analysis 2017: Industry Vulnerabilities Revealed | GBAF

Editorial & Advertiser disclosure

Global Banking and Finance Review is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.

Home > Top Stories > BLACK DUCK AUDITS OF 1000+ SOFTWARE APPLICATIONS SHOW WIDESPREAD WEAKNESS IN ADDRESSING OPEN SOURCE SECURITY VULNERABILITY RISKS

BLACK DUCK AUDITS OF 1000+ SOFTWARE APPLICATIONS SHOW WIDESPREAD WEAKNESS IN ADDRESSING OPEN SOURCE SECURITY VULNERABILITY RISKS

Published by Gbaf News

Posted on April 22, 2017

5 min read

Last updated: January 21, 2026

Graph showing record property deals in Portugal, highlighting affordable housing crisis - Global Banking & Finance Review — This image illustrates the surge in property transactions in Portugal, with a record high of 9.05 billion euros in Q3, emphasizing the worsening shortage of affordable homes.

Open Source Security and Risk Analysis reveals ineffectiveness across industries; Retail, E-commerce, FinTech audits show highest risk to open source security vulnerabilities

Black Duck, the global leader in automated solutions for securing and managing open source, today released its 2017 Open Source Security and Risk Analysis (OSSRA), a report that details significant cross-industry risks related to open source vulnerabilities and license-compliance challenges.

Black Duck conducts hundreds of open source code audits annually, primarily related to Merger & Acquisition transactions. Its Center for Open Source Research & Innovation (COSRI) analysed 1,071 applications audited during 2016 and found both high levels of open source usage – 96% of the apps contained open source – and significant risk to open source security vulnerabilities – more than 60% of the apps contained open source security vulnerabilities.

Notably, audit results of applications from the financial industry contained 52 open source vulnerabilities per application, and 60% of the applications contained high-risk vulnerabilities. The retail and e-commerce industry had the highest proportion of applications with high-risk open source vulnerabilities, with 83% of audited applications containing high-risk vulnerabilities.

Open source license conflicts were widespread. The audited applications contained 147 open source components on average – a daunting number of license obligations to keep track of – and in fact 85% of audited applications contained components with license conflicts. The most common challenges were GPL license violations, with 75% of applications containing components under the GPL family of licenses, but only 45% of those applications in compliance with GPL obligations.

“Open source use is ubiquitous worldwide and recent research reports show that between 80% and 90% of the code in today’s apps is open source. This isn’t surprising because open source is valuable in lowering dev costs, accelerating innovation and speeding time to market. Our audits confirmed the universal use, but also revealed troubling levels of ineffectiveness in addressing risks related to open source security vulnerabilities and license compliance challenges,” said Black Duck CEO Lou Shipley.

Shipley said he expected the open source audit findings would be eye-opening for security executives because the application layer is a primary target for hackers. “Exploits of open source vulnerabilities are the biggest application security risk that most companies have,” said Shipley.

“Reading this report should be a wake-up call. Everyone is using lots of open source, but as the audits show, very few are doing an adequate job detecting, remediating and monitoring open source vulnerabilities in their applications,” said Chris Fearon, Director at Black Duck’s Northern Ireland based Open Source Security Research Group, the security research arm of COSRI. “The COSRI analysis of the audits clearly demonstrates that organisations in every industry have a long way to go before they are effective in managing their open source.”

To download the OSSRA analysis, visit https://www.blackducksoftware.com/open-source-security-risk-analysis-2017.

Open Source Security and Risk Analysis reveals ineffectiveness across industries; Retail, E-commerce, FinTech audits show highest risk to open source security vulnerabilities

Black Duck, the global leader in automated solutions for securing and managing open source, today released its 2017 Open Source Security and Risk Analysis (OSSRA), a report that details significant cross-industry risks related to open source vulnerabilities and license-compliance challenges.

Black Duck conducts hundreds of open source code audits annually, primarily related to Merger & Acquisition transactions. Its Center for Open Source Research & Innovation (COSRI) analysed 1,071 applications audited during 2016 and found both high levels of open source usage – 96% of the apps contained open source – and significant risk to open source security vulnerabilities – more than 60% of the apps contained open source security vulnerabilities.

Notably, audit results of applications from the financial industry contained 52 open source vulnerabilities per application, and 60% of the applications contained high-risk vulnerabilities. The retail and e-commerce industry had the highest proportion of applications with high-risk open source vulnerabilities, with 83% of audited applications containing high-risk vulnerabilities.

Open source license conflicts were widespread. The audited applications contained 147 open source components on average – a daunting number of license obligations to keep track of – and in fact 85% of audited applications contained components with license conflicts. The most common challenges were GPL license violations, with 75% of applications containing components under the GPL family of licenses, but only 45% of those applications in compliance with GPL obligations.

“Open source use is ubiquitous worldwide and recent research reports show that between 80% and 90% of the code in today’s apps is open source. This isn’t surprising because open source is valuable in lowering dev costs, accelerating innovation and speeding time to market. Our audits confirmed the universal use, but also revealed troubling levels of ineffectiveness in addressing risks related to open source security vulnerabilities and license compliance challenges,” said Black Duck CEO Lou Shipley.

Shipley said he expected the open source audit findings would be eye-opening for security executives because the application layer is a primary target for hackers. “Exploits of open source vulnerabilities are the biggest application security risk that most companies have,” said Shipley.

“Reading this report should be a wake-up call. Everyone is using lots of open source, but as the audits show, very few are doing an adequate job detecting, remediating and monitoring open source vulnerabilities in their applications,” said Chris Fearon, Director at Black Duck’s Northern Ireland based Open Source Security Research Group, the security research arm of COSRI. “The COSRI analysis of the audits clearly demonstrates that organisations in every industry have a long way to go before they are effective in managing their open source.”

To download the OSSRA analysis, visit https://www.blackducksoftware.com/open-source-security-risk-analysis-2017.