Skip to main content

Unmanaged open-source software is putting businesses at risk

code
(Image credit: Image source: Shutterstock/McIek)

Unmanaged open-source software is putting businesses at risk, according to a new report from Synopsys.

The company polled 1,500 IT professionals and found that an “overwhelming majority” of modern codebases contain open-source (opens in new tab) components (sometimes going up to 70 percent).

Most of the codebases (75 percent) audited by Synopsys, meanwhile, contained open-source components with known security vulnerabilities, meaning businesses that don’t manage their open-sourced software properly risk potential data breaches and fines.

According to Tim Mackey, Principal Security Strategy at the Synopsys Cybersecurity Research Center, businesses are struggling to effectively track and manage their open-source risk (opens in new tab).

He claims that for the majority of businesses (51 percent) it takes anywhere between two and three weeks to apply an open-source patch. This, he believes, is due to the fact that most do not use automated software composition analysis tools to identify which open-source components are in use and when updates are released.

“The remaining organizations are probably employing manual processes to manage open source—processes that can slow down development and operations teams, forcing them to play catch-up on security in a climate where, on average, dozens of new security disclosures are published daily,” he said.

The report also hints at another potential reason – the lack of a universally adopted application security testing (AST) tool. There are many tools in the market, but even the most popular one is still used by less than half of the respondents.

Sead Fadilpašić is a freelance tech writer and journalist with more than 17 years experience writing technology-focussed news, blogs, whitepapers, reviews, and ebooks. And his work has featured in online media outlets from all over the world, including Al Jazeera Balkans (where he was a Multimedia Journalist), Crypto News, TechRadar Pro, and IT Pro Portal, where he has written news and features for over five years. Sead's experience also includes writing for inbound marketing, where he creates technology-based content for clients from London to Singapore. Sead is a HubSpot-certified content creator.