Synopsys: Open Source Security Top-of-Mind but Patching Too Slow
December 14, 2020
Produced by the
Synopsys Cybersecurity Research
Center (CyRC), a report highlights
the findings from a survey of 1,500
IT professionals working in cyber
security, software development,
software engineering, and web
development. The report explores the
strategies that organizations around
the world are using to address open
source vulnerability management as
well as the growing problem of
outdated or abandoned open source
components in commercial code.
There is no universally adopted application security testing (AST) tool. As the responses to the survey questions indicate, there is no shortage of application security testing tools and techniques. However, even the AST tool with the highest adoption rate is still only utilized by less than half of respondents.
The media plays an important role in open source risk management. Forty-six percent of respondents noted that media coverage had prompted their organization to apply more stringent controls on open source usage.
Forty-seven percent of respondents are defining standards around the age of open source components they use. A growing issue in the open source community is project sustainability. A 2020 Synopsys study showed that 91% of codebases audited in 2019 contained open source components that either were more than four years out of date or had no development activity in the past two years. Security risks increase when obsolete code is deployed, including the threat of an open source component being hijacked. Such a situation occurred in 2018 when the event-stream component was hijacked to target Bitcoin in Copay accounts.