When Open Source Opens The Door For Cybersecurity Risks


Open source technology has become critical to companies that need solutions that fit right into their own operations. Applications built with open source technology enable corporate users of these tools to modify and customize tools — and in corporate processes, that can be hugely beneficial.

Take Oro, for instance. The company’s B2B eCommerce solution OroCommerce provides an open source platform that can help SMEs more efficiently brand themselves to corporate buyers and customize interfaces for a better eProcurement experience, without corporate users having to design in-house software to fit their unique needs.

Or take payments company First Data, which acquired open source storefront platform Spree Commerce in 2015 in a significant show of support for open source technology.

The possibilities for open source applications to impact corporate and B2B operations across eProcurement, financial management, payments and beyond are boundless. But a new report from Black Duck Software says the providers of open source software may be putting themselves and their corporate customers at risk.

In Black Duck’s second Open Source Security and Risk Analysis report, released this week, the firm found that 96 percent of applications audited have some open source component in them. The pervasiveness of this technology means gaps in security and other points of friction.

“Open source use is ubiquitous worldwide and recent research reports show that between 80 percent and 90 percent of the code in today’s apps is open source,” said Black Duck CEO Lou Shipley in a statement. “This isn’t surprising because open source is valuable in lowering dev costs, accelerating innovation and speeding time to market. Our audits confirmed the universal use but also revealed troubling levels of ineffectiveness in addressing risks related to open source security vulnerabilities and license compliance challenges.”

Two-thirds of apps analyzed by Black Duck found vulnerabilities in their open source components. Even more troubling is that these vulnerabilities were discovered, on average, four years ago.

Financial services and FinTech are most at-risk, Black Duck found. According to its analysis, financial services apps contained an average of 52 vulnerabilities per app, with 60 percent of them considered to be high-risk vulnerabilities.

This puts the financial services space at risk in a big way, said Shipley.

“Exploits of open source vulnerabilities are the biggest application security risk that most companies have,” the executive stated.

Indeed, infiltrating a third-party app via these vulnerabilities can  place not only the application developer at risk, but all of its customers, too. Research released this year from MetricStream found that half of companies don’t have a third-party risk management solution in place, with a fifth of businesses facing “significant” risk exposure. Financial losses from a security breach stemming from third-party security lapses can reach into the millions of dollars, experts warn.

But other than security risks, open source technologies can put the enterprises in other jeopardizing positions, Black Duck warned.

For instance, more than 85 percent of app analyzed by the firm had components with licenses out of compliances — more than half had “unknown” licenses, which, Black Duck explained, means no one has permission to use or modify the software.

Amid these revelations, analysts also noted that traditional scanning solutions often miss these vulnerabilities, leaving companies exposed.

“Reading this report should be a wakeup call,” warned Chris Fearon, Director at Black Duck’s Open Source Security Research Group, the security research unit of COSRI. “The COSRI analysis of audits clearly demonstrations that organizations in every industry have all one way to go before they are effective in managing their open source.”