2019 Open Source Security and Risk Analysis (OSSRA) report

The Open Source Security and Risk Analysis (OSSRA) report provides an in-depth look at the state of
open source security, compliance, and code quality risk in commercial software.

For over 15 years, security, development, and legal teams around the globe have relied on Black Duck® solutions to help them manage the risks that come with the use of open source. Built on the Black Duck KnowledgeBase™—the most comprehensive database of open source component, vulnerability, and license information available—Black Duck software composition analysis solutions and open source audits give organizations the insight they need to track open source in code, mitigate security and license compliance risks, and automatically enforce open source policies using existing DevOps tools and processes.

Each year, the Black Duck Audit Services team at Synopsys conducts open source audits on thousands of codebases for its customers, primarily in conjunction with merger and acquisition transactions. These audits are the primary source of data for the OSSRA report. This year’s analysis examines findings from the anonymized data of over 1,200 commercial codebases audited in 2018.

The analysis of the 2018 data took place at the Synopsys Cybersecurity Research Center (CyRC). CyRC’s global research labs include locations in Boston, Belfast, Calgary, and Oulu, Finland.

The Boston CyRC big data research team maintains the Black Duck KnowledgeBase. This team analyzes and refines open source activity from thousands of data sources to identify the most significant open source projects in use.

Our Belfast team identifies the impact of open source vulnerabilities and their exploitability. Their work forms the basis of Black Duck Security Advisories, which offer deep-sourced vulnerability data that the team discovers, curates, analyzes, and publishes hourly.

The Calgary group works to identify coding patterns contributing to software vulnerabilities. Our researchers in Oulu identified the OpenSSL vulnerability known as Heartbleed and continue to perform protocol-based research.

This year, the CyRC Belfast team examined findings from the anonymized data of over 1,200 commercial codebases reviewed by the Black Duck Audit Services team in 2018. The 17 industries represented in the report range from aerospace to virtual reality (see the next page for a full list). The audit services team reviewed an average of 71 codebases per industry during 2018.

Operating within the Synopsys charter of making software secure and high-quality, CyRC publishes research such as the annual OSSRA report to support strong cyber security practices.

The 2019 OSSRA report includes insights and recommendations intended to help organizations and security, risk, legal, and development teams better understand the open source security and license risk landscape as they strive to improve their application risk management processes.