Many Black Duck-related news stories in this week’s edition of Open Source Insight, thanks to the release of our 2017 Open Source Security and Risk Analysis detailing significant cross-industry risks related to open source vulnerabilities and license compliance challenges. Black Duck conducts hundreds of open source code audits annually, primarily related to merger and acquisition transactions. For the 2017 analysis, our Center for Open Source Research & Innovation (COSRI) analyzed over 1,000 applications and found both high levels of open source usage — 96% of the apps examined contained open source — and significant risk to open source security vulnerabilities — more than 60% of the apps contained open source security vulnerabilities. All security professionals concerned about vulnerabilities and license compliance will want to review the report, which can be downloaded from the Black Duck website. Emphasizing the need to stay on top of software security vulnerabilities is the NVD CVE listing for the month of April 2017, which now exceeds 900 entries, including CVE-2016-4899, a high to critical flaw where the datamover module in the Linux version of NovaBACKUP DataCenter before 09.06.03.0353 is vulnerable to remote command execution via unspecified attack vectors. On to this week’s top open source and open source security news…

1. Open Source Insight:
Global Response to COSRI 2017 Open
Source Security and Risk Analysis
By Fred Bals, Senior Content Writer & Editor

2. Many Black Duck-related news stories in
this week’s edition of Open Source
Insight, thanks to the release of
our 2017 Open Source Security and Risk
Analysis detailing significant cross-
industry risks related to open source
vulnerabilities and license compliance
challenges.
This Week’s Key Takeaways

3. This Week’s Key Takeaways
Black Duck conducts hundreds of open source code
audits annually, primarily related to merger and acquisition
transactions. Our Center for Open Source Research &
Innovation (COSRI) analyzed over 1,000 applications and
found both high levels of open source usage — 96% of the
apps examined contained open source — and significant
risk to open source security vulnerabilities — more than
60% of the apps contained open source security
vulnerabilities

4. Other open source security and
cybersecurity stories include:
• Open Source Software: Risk Management
Designed to Combat the Vulnerabilities
• Why You Must Build Cybersecurity into
Your Applications
• Open Source Management Gaps Remain a
Problem
• Report: Commercial Software Riddled
With Open Source Code Flaws
More Open Source News

5. Open Source Software: Risk Management
Designed to Combat the Vulnerabilities
In the April 2017 edition of Risk UK magazine, Black Duck
COSRI research director, Chris Fearon, explains why open
source risk management is a must for business.
“… even if they know that open source is a key part of their
firm’s success, some executives – even those in the IT
department – might be surprised to find how much their
business’s solutions depend on open source and how much
open source they use to deliver within a continuous integration
environment and on a continuous release schedule.”

6. “In a series on how companies can create the right security
portfolio for their needs,” writes Forbes contributor Dan Woods,
“I’ve put forward a five-step approach: 1) Determine Needs, 2)
Allocate Spending According to Risk, 3) Design Your Portfolio, 4)
Choose the Right Products, and 5) Rebalance as Needed. Those
five steps need to address the five core tenets of cybersecurity as
identified by the National Institute for Standards and Technology
(NIST) framework, which are identification, prevention, detection,
response, and recovery. However, how companies allocate their
investments in each of these buckets can and should be
customized to their individual assets and operations."
Why You Must Build Cybersecurity into Your Applications

7. New Audit Report Shows Open Source
Management Gaps Remain a Problem
“Black Duck is a company that thrives off data,”
blogs Senior Product Marketing Manager, Evan
Klein. “So when we have a chance to take a step
back and really analyze the state of open source
use and open source management at organizations
worldwide, we feel it important to provide those
data-driven insights to our customers, and to the
industry as a whole That's why we've released
the 2017 Open Source Security and Risk Analysis
(OSSRA).”

8. “The OSSRA takes a look at Black Duck On-
Demand Audits of over 1000 commercial
applications to explore the state of open
source, understand the progress
organizations have made toward managing
open source risk,
and offer recommendations to help those
organizations manage security threats and
license risks.”
New Audit Report Shows Open Source
Management Gaps Remain a Problem

9. Report: Commercial Software Riddled With Open
Source Code Flaws
There are widespread weaknesses in
addressing open source security
vulnerability risks across key industries, the
audits show. "From the security side, 96
percent of the applications are using open
source," noted Mike Pittenger, vice president
for security strategy at Black Duck Software.
"The other big change we see is more open
source is bundled into commercial
software," he told LinuxInsider.

10. Researchers Find Commercial Banking Apps
Contain Swarms of Open-source Bugs
"While many developers rely on open source
components, they may not be keeping ahead of the
game when bugs are discovered," writes ZDNet.
"When bugs are discovered, such as Heartbleed --
an exploitable vulnerability in a component of
OpenSSL -- vendors are responsible for patching
these issues, but the [Black Duck] report
suggested that many companies have a lack of
visibility into their own applications and just how
much they rely on open source components."

11. "A software audit conducted for the Black Duck 2017 Open Source
Security and Risk Analysis (OSSRA) has found that financial
applications had an average of 52 open source vulnerabilities,"
writes Computer Weekly managing editor, Chris Saran.
Chris Fearon, director at Black Duck’s Open Source Security
Research Group, COSRI’s security research arm, said: “The results
of the COSRI analysis clearly demonstrate that organisations in
every industry have a long way to go before they are effective at
managing their open source.” Black Duck said every version of
Linux, PHP, Ruby on Rails and MS.Net contained high-risk
vulnerabilities.
Majority of Open Source Has Security Flaws

12. Black Duck Audit Highlights Risk of Open-source Security
Vulnerabilities
“The OSSRA revealed significant risks related to open-source
vulnerabilities and license-compliance challenges," writes SD
Times, “as well as high levels of risk in the retail and ecommerce
industry.”
“We don’t take the position that open source is any less secure
than commercial software, nor is it more secure, frankly, because
it’s software so it’s going to have bugs and vulnerabilities,” said
Mike Pittenger Black Duck vice president of security strategy.
“There are some characteristics about open source software that
make it attractive to an attacker, simply [because] it’s ubiquitous
and it’s a target-rich environment.”

13. "Most commercial applications use open
source components to save developers from
the time and expense of reinventing the
wheel," writes WebWork Magazin. "However,
this can be a problem, according to the risk
analysis conducted by the specialist for open
source audits Black Duck Software because
of the partial use of obsolete and vulnerable
open-source components."
Risko durch Open Source Komponenten
(Risk through Open Source Components)

14. Open Source ist allgegenwärtig – und gefährlich (Open Source is
ubiquitous - and dangerous)
Black Duck editorial comment: Neither Black Duck
nor our OSSRA report maintain that open source is
“gefährlich,” as the article’s title implies. Rather,
we consider the lack of businesses’ insight into the
open source they use and sloth in addressing
vulnerability and licensing risks as dangerous. We
also recommend the 200+ readers’
comments appended to the article, which clearly
show the passion of the global community for
open source software, a passion which Black Duck
shares.

15. via Heise Online: “Little comes without open source
components. This is a core result of Open Source
Security and Risk Analysis (OSSRA) 2017, for which
specialist in open source audits Black Duck Software
has examined over 1000 commercial applications. On
average, a good third of the code came from open
source projects; JQuery, Bootstrap, JUnit, Apache
Log4j and software from the Apache-Commons
project were used most frequently.”
Open Source ist allgegenwärtig – und gefährlich (Open Source is
ubiquitous - and dangerous)

16. Open Source in mehr als 90 Prozent aller Anwendungen (Open
Source in more than 90 percent of all applications)
via Silicon.de: "Whether open source is
suitable for enterprise applications is no
longer in question. More than 96 percent of
applications include open-source
components, based on the results of a
software audit by Black Duck Software for
which more than 1000 applications were
tested. At the same time, more than 60 percent
of the applications audited had known open
source vulnerabilities."

17. Subscribe
Stay up to date on open source security and cybersecurity –
subscribe to our blog today.