 |
VOOZH | about |
|
VOOZH | about |
We’re so glad you’re here. You can expect all the best TNS content to arrive Monday through Friday to keep you on top of the news and at the top of your game.
Check your inbox for a confirmation email where you can adjust your preferences and even join additional groups.
Follow TNS on your favorite social media networks.
Become a TNS follower on LinkedIn.
Check out the latest featured and trending stories while you wait for your first TNS newsletter.
A recent report by the Synopsys Cybersecurity Research Center has found that a whopping 84% of businesses are being jeopardized by open source code they use in their systems — most notably by JavaScript, by far the most widely-used open standards-based code framework.
The Open Source Security and Risk Analysis (OSSRA) report, published by Synopsys — a long-established electronic design automation (EDA) and security provider — describes the current state of open source security, compliance, licensing, and code quality risks in commercial software based on 1,700 audits across 17 global industries. The study revealed that a massive 84% of codebases contained at least one known open source vulnerability — an increase of 4% from last year.
Understanding and using JavaScript, for example, enables hackers to uncover vulnerabilities and carry out web exploitation since most of the applications on the web use JavaScript or its libraries. Since JavaScript can be used to read saved cookies, it is often used to develop cross-site scripting programs for hacking purposes.
The report is a clear wake-up call for companies that rely on open source software, which has long been the foundation of many different types of application and infrastructure software. It suggests that the first step in remediating business risk from open source, proprietary, and commercial code is to conduct a comprehensive inventory of all software that the business uses, regardless of where it originated or how it was acquired. This would involve creating a Software Bill of Materials (SBOM), which lists all open source components in an application, as well as their licenses, versions, and patch status.
The OSSRA report revealed several other relevant findings. For example:
Many commercial and proprietary codebases are acquired through merger and acquisition transactions. With companies using hundreds (often thousands) of apps and web services over time, it’s virtually impossible for acquiring companies to know everything there is to know about the vulnerabilities new systems introduce into their folds.
“Vulnerabilities are just part of doing business in the software industry,” Mike McGuire, senior software solutions manager at Synopsys Software Integrity Group, told TNS. “But not all vulnerabilities are created equally. I think the more concerning number are the high-risk vulnerabilities that we found in almost half the code base.”
A number of companies compile their own software and cybersecurity vulnerability reports on a regular basis. These include Cisco Systems, Fortinet, Arctic Wolf, Imperva, and others.
A high-risk vulnerability is defined by the Cybersecurity Research Center this way, McGuire said:
“They take the advisories from numerous (industry) security feeds, analyze them and send them out to our customers. And as part of this analysis, they assign severity scores. When it comes to open source vulnerabilities, they’re using the CVSS scoring system. It (severity) also depends on whether or not there’s an exploit; whether or not there is a fix available; the type of exploit; how easy it is for somebody to go through and actually exploit the application; whether this can be done remotely; and whether you have access to the running instance. So all these (attributes) are taken into consideration for that score. And then that score is what tells us whether or not it’s a high-severity vulnerability,” McGuire said.
Jason Schmitt, general manager of the Synopsys Software Integrity Group, said that the report findings underlined the reality of open source as the underlying foundation of most types of software built today. Schmitt said that a 13% year-over-year increase in the average number of open source components utilized (from 528 to 595) in this year’s audits further reinforced the importance of implementing a comprehensive SBOM.
McGuire said that the key to managing open source risk at the speed of modern development is maintaining complete visibility of application contents. By building this visibility into the application lifecycle, he said, businesses can arm themselves with the information needed to make informed, timely decisions regarding risk resolution.
Synopsys, based in Mountain View, Calif., develops electronic products and software applications for electronic design automation (EDA), semiconductor IP, software quality, and security solutions.
