Unmanaged open-source software is putting businesses at risk, according to a new report from Synopsys.
The company polled 1,500 IT professionals and found that an “overwhelming majority” of modern codebases contain open-source components (sometimes going up to 70 percent).
Most of the codebases (75 percent) audited by Synopsys, meanwhile, contained open-source components with known security vulnerabilities, meaning businesses that don’t manage their open-sourced software properly risk potential data breaches and fines.
According to Tim Mackey, Principal Security Strategy at the Synopsys Cybersecurity Research Center, businesses are struggling to effectively track and manage their open-source risk.
He claims that for the majority of businesses (51 percent) it takes anywhere between two and three weeks to apply an open-source patch. This, he believes, is due to the fact that most do not use automated software composition analysis tools to identify which open-source components are in use and when updates are released.
“The remaining organizations are probably employing manual processes to manage open source—processes that can slow down development and operations teams, forcing them to play catch-up on security in a climate where, on average, dozens of new security disclosures are published daily,” he said.
The report also hints at another potential reason – the lack of a universally adopted application security testing (AST) tool. There are many tools in the market, but even the most popular one is still used by less than half of the respondents.