2020 Open Source Security and Risk Analysis Report

Welcome to the 5th edition of Synopsys’ Open Source Security and Risk Analysis (OSSRA) report. The 2020 OSSRA includes insights and recommendations to help security, risk, legal, and development teams better understand the open source security and license risk landscape.

To help organizations develop secure, high-quality software, the Synopsys Cybersecurity Research Center (CyRC) publishes research that supports strong cyber security practices. Our annual OSSRA report provides an in-depth snapshot of the current state of open source security, compliance, and code quality risk in commercial software.

For over 16 years, security, development, and legal teams around the globe have relied on Black Duck® software composition analysis (SCA) solutions and open source audits to identify and track open source in code, mitigate security and license compliance risks, and automatically enforce open source policies using existing DevOps tools and processes.

Synopsys’ Black Duck Audit Services team conducts open source audits on thousands of codebases for its customers each year, often supporting merger and acquisition transactions. In the context of software development, a codebase is the source code and libraries that underlie an application, service, or library. These audits are anonymized and used as the primary source of data for the OSSRA report. The data is cross-referenced with the Black Duck KnowledgeBase™ to identify potential license compliance and security risks as well as open source operational factors that may affect the overall codebase. The KnowledgeBase currently houses data on open source activity from over 20,000 sources worldwide, making it an authoritative source for open source projects and components

The 2019 audit data analysis was conducted by CyRC’s Belfast and Boston teams. The Boston big data research team maintains the Black Duck KnowledgeBase, analyzing and refining open source activity from thousands of data sources to identify the most significant open source projects in use. Our Belfast team identifies the impact of open source vulnerabilities and their exploitability. As well as validating data used in the OSSRA, the Belfast team’s work forms the basis of Black Duck Security Advisories (BDSAs), which offer enhanced vulnerability information that the team discovers, curates, analyzes, and publishes as a benefit for commercial Black Duck customers.

This year, the CyRC teams examined anonymized audit findings from over 1,250 commercial codebases in 17 industries, including Enterprise Software/SaaS; Healthcare, Health Tech, Life Sciences; Financial Services & FinTech; and Internet & Software Infrastructure (please see the next page for a full list).

As this report details, open source components and libraries are the foundation of literally every application in every industry. The need to identify, track, and manage open source has increased exponentially with the growth of its use in commercial software. License identification, processes to patch known vulnerabilities, and policies to address outdated and unsupported open source packages are all necessary for responsible open source use.