4. Up to 90%
Open Source
TODAY
50%
Open Source
2010
20%
Open Source
20051998
10%
Open Source
Open source is the foundation of modern applications
5. DEVELOPER DOWNLOADS
OUTSOURCED DEVELOPMENT
THIRD PARTY LIBRARIES
CODE REUSE
APPROVED COMPONENTS
COMMERCIAL APPS
OPEN SOURCE CODE
It enters your code through many channels…
…and open source vulnerabilities can come with it.
9. When vulnerabilities are discovered,
it’s a race between you and hackers
Vuln
Introduced
National
Vulnerability
Database
Vuln
Discovered
You
Find It
You
FIX It
Exploits
Published
Hackers
Hack
Highest Security Risk
13. OpenSSL
Introduced: 2011
Discovered: 2014
Heartbleed
GNU C Library
Introduced: 2000
Discovered: 2015
Ghost
QEMU
Introduced: 2004
Discovered: 2015
Venom
Bash
Introduced: 1989
Discovered: 2014
Shellshock
OpenSSL
Introduced: 1990's
Discovered: 2015
Freak
FREAK!
What do these vulnerabilities have in common?
All were found by security researchers – not SAST / DAST tools.
15. Center for Open Source Research & Innovation
• Focused on providing cutting-edge
research, innovation, information
• Ensure the Open Source
ecosystem remains vibrant
• Consistently publish research on
Open Source and security
16. Open Source Research, Info-Gathering & Sharing Efforts
•The world’s most complete, current and accurate repository and database of open source
software, associated licenses and other critical information, including known security
vulnerabilities.
KnowledgeBase™
• Conducts applied research in data mining, machine learning, natural language processing,
big data management and software engineering.Vancouver Research Group
• Analyzes security issues and attack patterns in open source software to provide customers
with actionable and meaningful security context on vulnerabilities, corrective actions to
reduce risk, and strategies for using open source effectively.
Europe Research Group
• Open Hub offers analytics and search services for discovering, evaluating, tracking and
comparing open source code and projects.Open Hub
• Active field research of commercial applications releasing trends in open source
management.Open Source Security Audit Report