Editorial & Advertiser Disclosure Global Banking And Finance Review is an independent publisher which offers News, information, Analysis, Opinion, Press Releases, Reviews, Research reports covering various economies, industries, products, services and companies. The content available on globalbankingandfinance.com is sourced by a mixture of different methods which is not limited to content produced and supplied by various staff writers, journalists, freelancers, individuals, organizations, companies, PR agencies Sponsored Posts etc. The information available on this website is purely for educational and informational purposes only. We cannot guarantee the accuracy or applicability of any of the information provided at globalbankingandfinance.com with respect to your individual or personal circumstances. Please seek professional advice from a qualified professional before making any financial decisions. Globalbankingandfinance.com also links to various third party websites and we cannot guarantee the accuracy or applicability of the information provided by third party websites. Links from various articles on our site to third party websites are a mixture of non-sponsored links and sponsored links. Only a very small fraction of the links which point to external websites are affiliate links. Some of the links which you may click on our website may link to various products and services from our partners who may compensate us if you buy a service or product or fill a form or install an app. This will not incur additional cost to you. A very few articles on our website are sponsored posts or paid advertorials. These are marked as sponsored posts at the bottom of each post. For avoidance of any doubts and to make it easier for you to differentiate sponsored or non-sponsored articles or links, you may consider all articles on our site or all links to external websites as sponsored . Please note that some of the services or products which we talk about carry a high level of risk and may not be suitable for everyone. These may be complex services or products and we request the readers to consider this purely from an educational standpoint. The information provided on this website is general in nature. Global Banking & Finance Review expressly disclaims any liability without any limitation which may arise directly or indirectly from the use of such information.

BLACK DUCK AUDITS OF 1000+ SOFTWARE APPLICATIONS SHOW WIDESPREAD WEAKNESS IN ADDRESSING OPEN SOURCE SECURITY VULNERABILITY RISKS

Open Source Security and Risk Analysis reveals ineffectiveness across industries; Retail, E-commerce, FinTech audits show highest risk to open source security vulnerabilities

Black Duck, the global leader in automated solutions for securing and managing open source, today released its 2017 Open Source Security and Risk Analysis (OSSRA), a report that details significant cross-industry risks related to open source vulnerabilities and license-compliance challenges.

Black Duck conducts hundreds of open source code audits annually, primarily related to Merger & Acquisition transactions. Its Center for Open Source Research & Innovation (COSRI) analysed 1,071 applications audited during 2016 and found both high levels of open source usage – 96% of the apps contained open source – and significant risk to open source security vulnerabilities – more than 60% of the apps contained open source security vulnerabilities.

Notably, audit results of applications from the financial industry contained 52 open source vulnerabilities per application, and 60% of the applications contained high-risk vulnerabilities. The retail and e-commerce industry had the highest proportion of applications with high-risk open source vulnerabilities, with 83% of audited applications containing high-risk vulnerabilities.

Open source license conflicts were widespread. The audited applications contained 147 open source components on average – a daunting number of license obligations to keep track of – and in fact 85% of audited applications contained components with license conflicts. The most common challenges were GPL license violations, with 75% of applications containing components under the GPL family of licenses, but only 45% of those applications in compliance with GPL obligations.

“Open source use is ubiquitous worldwide and recent research reports show that between 80% and 90% of the code in today’s apps is open source. This isn’t surprising because open source is valuable in lowering dev costs, accelerating innovation and speeding time to market. Our audits confirmed the universal use, but also revealed troubling levels of ineffectiveness in addressing risks related to open source security vulnerabilities and license compliance challenges,” said Black Duck CEO Lou Shipley.

Shipley said he expected the open source audit findings would be eye-opening for security executives because the application layer is a primary target for hackers. “Exploits of open source vulnerabilities are the biggest application security risk that most companies have,” said Shipley.

“Reading this report should be a wake-up call. Everyone is using lots of open source, but as the audits show, very few are doing an adequate job detecting, remediating and monitoring open source vulnerabilities in their applications,” said Chris Fearon, Director at Black Duck’s Northern Ireland based Open Source Security Research Group, the security research arm of COSRI. “The COSRI analysis of the audits clearly demonstrates that organisations in every industry have a long way to go before they are effective in managing their open source.”

To download the OSSRA analysis, visit https://www.blackducksoftware.com/open-source-security-risk-analysis-2017.