It has been reported that it can take an average of over four years for vulnerabilities in open source software to be spotted, an area in the security community that needs to be addressed. According to GitHub’s annual State of the Octoverse report, published today, reliance on open source projects, components, and libraries is more common than ever.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
The big picture takeaways here are that there is a significant amount of open source in virtually every modern application in use today and that keeping those apps secure requires that companies track and manage the open source in their code. This is consistent with Synopsys’ research.
The report focuses on security and so doesn’t delve into legal risks associated with licensing; however, despite being “free,” open-source software is no different from other software in that its use is governed by a license. Based on research conducted for the 2020 OSSRA report, 68% of codebases contained some form of open source license conflict, and 33% contained open source components with no identifiable license. This is another way in which open source can get organizations into hot water, and thus should be managed and not overlooked.