With all the benefits of open source, improper management of its use may result in substantial legal, business, and technical risks. Most research and design managers know that they have to manage open source licenses, but not many are monitoring for security vulnerabilities and other bugs in open source libraries they use.
Do you know the importance of monitoring open source for vulnerabilities before, during, and after using it?
Open source is code like any other, and according to a study by Coverity likely contains defects at a rate similar to other software (~1 defect per 1000 lines of code). According to the Veracode’s State of Software Security report, 70% of applications fail to comply with basic enterprise security policies, such as OWASP Top 10 and CWE/SANS Top 25. However, while software developers test their own code regularly and rigorously, and would immediately tend to fix security vulnerabilities, most are paying little attention to the open source libraries that ship with their products.
Popular open source projects are of course being scrutinized by many users, which often discover defects more quickly than otherwise. These are also well documented. As we speak, the Common Vulnerabilities and Exposures (CVE) database shows hundreds of security vulnerabilities that are directly related to open source libraries. Even better, open source communities are often quicker to fix and otherwise upgrade their code (sometimes in excess of five times a year). Unfortunately, developers that do not monitor for these discoveries and updates would not know of the vulnerabilities, and would clearly not upgrade the version of the library they use.
According to White Source research, 85% of software projects use outdated libraries.
When you choose to use an open source solution, you usually select the latest version of a given library. And, you know that from that point on you must continuously monitor the various repositories for newly discovered vulnerabilities. You might also know that there are open source management systems that can proactively alert you when security vulnerabilities are being discovered in specific libraries that you are using (as well as to when a new version is being put out that fixes these and other defects!)
Remember: your product ships not only with your code, but also with that of the open source libraries you use. The quality of your own product and the security of your customers are directly related.