The document summarizes key findings from Synopsys' 2019 Open Source Risk Analysis Report. It finds that while open source risks persist, they can be managed. It analyzes over 1200 codebases across industries and finds that open source usage is increasing but unpatched vulnerabilities are declining. However, license compliance and outdated components remain issues. The document emphasizes that awareness, engagement, and training developers are key to improving open source governance and security.

1. © 2019 Synopsys, Inc.1
2019 Open Source Risk Analysis Report
Open Source Risks Persist—But They Can Be Managed
Tim Mackey, Principle Security Strategist, Synopsys Cybersecurity Research Center
May 2019

2. © 2019 Synopsys, Inc.2
Agenda
1. Background—overview of open source
2. Understanding the data source for the report
3. Report analysis
4. Conclusions

3. © 2019 Synopsys, Inc.3
Synopsys Cybersecurity Research Center (CyRC)
• Showcase Synopsys’ culture of innovation
• Promotes core investments in AppSec programs
• Deliver tier one reports covering AppSec trends
• Support community development efforts
• Teams located in Belfast, Bloomington, Boston and Oulu Finland

4. © 2019 Synopsys, Inc.4
Synopsys CyRC – Mission
Advance the state of software security through
research, innovation, and evangelism to empower
security and development organizations with
insights and guidance that addresses the
identification, severity, exploitation, mitigation, and
defense against software vulnerabilities.

5. © 2019 Synopsys, Inc.5
Background—Overview of Open Source
Understanding why open source development and governance matters

6. © 2019 Synopsys, Inc.6
Modern application
=
Proprietary code
+
Open source components
+
API usage
+
Application
behavior and configuration

7. © 2019 Synopsys, Inc.7
Equifax breach focused attention on open source

8. © 2019 Synopsys, Inc.8
So what is “Open Source” anyway?
• Open Source Initiative Definition
– Open Source software is software that can be freely accessed, used, changed, and shared (in
modified or unmodified form) by anyone. Open source software is made by many people, and
distributed under licenses that comply with the Open Source Definition.
• Common Definition
– Open source software is software whose source code I have access to outside of a commercial
license agreement.
• What about commercial software?
– Commercial software can easily be created from open source components. Managing and securing
open source software is complicated, and open source within commercial software is even more so.
Note – Lots of legal nuance here so don’t take this as legal advice!

9. Obligations trigger when software is distributed or “ships”
There is no single open source vendor
© 2018 Synopsys, Inc.9

10. © 2019 Synopsys, Inc.10
Open source components are third-party components

11. © 2019 Synopsys, Inc.11
Example: complexity of OpenSSL

12. © 2019 Synopsys, Inc.12
Understanding the data source

13. © 2019 Synopsys, Inc.13
Billions are spent each year on tech acquisitions
Annual worldwide tech and telecom deal flow
Source: 451 Research's MSA KnowledgeBase.
Includes disclosed and estimated values
$573B
acquisitions in 2018
68%
growth from 2017 to 2018
Top 5 industries
software

14. © 2019 Synopsys, Inc.14
Tech due diligence often requires a trusted third party
Product / strategy
People
Process / tools
Architecture
Code
Acquirer DD team
or
Strategy consultant
Third-party audit:
Acquirers do not
typically get access
without a third party
Subjective
and qualitative
Objective
and quantitative

15. © 2019 Synopsys, Inc.15
Black Duck Audit Services supports tech due diligence
Three dimensions of risk in software acquisitions
1 Legal risk 2 Security risk 3 Quality risk

16. © 2019 Synopsys, Inc.16
Over 1200 codebases across all industries
Industry Distribution
Enterprise Software/SaaS 23%
Healthcare, Health Tech, Life Sciences 11%
Financial Services & FinTech 10%
Big Data, AI, BI, Machine Learning 9%
Retail & E-Commerce 7%
Aerospace, Aviation, Automotive, Transportation, Logistics 6%
Internet & Software Infrastructure 5%
Internet of Things 5%
Telecommunications & Wireless 4%
Cybersecurity 3%
Virtual Reality, Gaming, Entertainment, Media 3%
Manufacturing, Industrials, Robotics 3%
Internet and Mobile Apps 3%
Marketing Tech 2%
EdTech 2%
Computer Hardware & Semiconductors 2%
Energy & CleanTech 1%

17. © 2019 Synopsys, Inc.17
Key Report Analysis

18. © 2019 Synopsys, Inc.18
Declines reflective of
codebase variance
and feature diversity
Open source powers modern applications
Codebases with at least one open source component

19. © 2019 Synopsys, Inc.19
Open source is a strong foundation for innovation
Percentage of codebase which is open source
Average
open source
Codebases contained
open source

20. © 2019 Synopsys, Inc.20
Open source license compliance remains critical
Percentage of codebases with license conflicts
Contained
components with
license conflicts
Contained some
form of GPL conflict

21. © 2019 Synopsys, Inc.21
Indeterminate licenses are particularly challenging
Contained custom licenses
that had the potential to
cause conflict or needed
legal review
Contained components
that were “not licensed”

22. © 2019 Synopsys, Inc.22
Open source is all about responsible shared re-use
Percentage of code bases with common components
Contained components
that were more than four
years out-of-date or had
no development activity
in the last two years

23. © 2019 Synopsys, Inc.23
Open source requires a different approach to security
Contained
vulnerabilities
Contained
vulnerabilities
over 10 years old

24. © 2019 Synopsys, Inc.24
Vulnerability impact: Jackson-databind
Functionality
Provides a serialization/deserialization routine to bind data to Java objects
Core issue
Jackson-databind 2.7.0 and later implements a dynamic polymorphic binding model
for certain class types. Exploitation of the vulnerability could result in remote code execution.
Mitigation
Use an explicit polymorphic binding model with @JsonTypeInfo
Why multiple CVEs?
Each CVE addressed different class types. The final CVE refactored the implementation providing
support for full class paths
CVE-2018-7489, CVE-2017-7525 and CVE-2017-15095

25. © 2019 Synopsys, Inc.25
Impact of CVE-2000-0388
Reporting date
May 9, 1990
Impact
A buffer overflow when processing the TERMCAP environment variable in FreeBSD 3.4
and prior could result in a local exploit resulting in privilege escalation
Mitigation
Update the FreeBSD operating environment to a modern version
A vulnerability older than many developers, and found within the 2018 OSSRA dataset

26. © 2019 Synopsys, Inc.26
Improvements are being made
Open source
usage up 5%
Unpatched vulnerabilities
decline 23%
increase in components used
to 298 per codebase16%
most popular open source licenses
covered 98% of codebases20
Open source license conflicts
decreased in most industries

27. © 2019 Synopsys, Inc.27
Awareness key to future improvement
• Rule #1 – You can’t patch what you don’t know you have
– Patches must match source, so know your code’s origin
• Open source isn’t only about source, but about shared re-use
– Binary repositories simplify coding but exacerbate security
• There is no vendor known as “open source”
Contained obsolete or
unmaintained components
Components
per codebase
257
298

28. © 2019 Synopsys, Inc.28
Key takeaways
Open source usage is key to modern applications
• Create a robust strategy to benefit from it
• Train all development and operations teams to identify critical components
Engage with open source communities
• Awareness of new features, critical issues and patches occurs at the community level
• Foster a sense of engagement and shared ownership within your development teams
Open source governance starts with developers
• Train all developers to understand the license implications of the component selections
• Ensure that when a component version is cached for future use that it’s patched regularly

29. © 2019 Synopsys, Inc.29
Build secure, high-quality software faster