Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Open Source Businesses Programming Software

The Percentage of Open Source Code in Proprietary Apps is Rising (helpnetsecurity.com) 60

Zeljka Zorz, writing for Help Net Security: The number of open source components in the codebase of proprietary applications keeps rising and with it the risk of those apps being compromised by attackers leveraging vulnerabilities in them, a recent report has shown. Compiled after examining the findings from the anonymized data of over 1,100 commercial codebases audited in 2017 by the Black Duck On-Demand audit services group, the report revealed two interesting findings:

96 percent of the scanned applications contain open source components, with an average 257 components per application. The average percentage of open source in the codebases of the applications scanned grew from 36% last year to 57%, suggesting that a large number of applications now contain much more open source than proprietary code.

This discussion has been archived. No new comments can be posted.

The Percentage of Open Source Code in Proprietary Apps is Rising

Comments Filter:
  • by greenwow ( 3635575 ) on Tuesday May 22, 2018 @04:02PM (#56655196)

    Sounds like they're using Maven or NPM. Both include a ridiculous number of transitive dependencies.

    • Re: (Score:2, Informative)

      by Luthair ( 847766 )
      Its called modular software development, perhaps you should look into it? While its true that NPM has had a lot of dependencies that do trivial things that isn't really true for most Java libraries.
      • Easy for you to say when the output of "mvn dependency:tree -Dverbose" doesn't include over two thousand lines of output.

      • No, most Java dependencies do something large, complex, and buggy, and app developers pull it in anyway to do something that COULD be replaced by a trivial function.

        Though I don't do much mobile programming these days, so for all I know bloated-spyware-framework-in-a-box could be open source now.

      • Its called modular software development, perhaps you should look into it?

        It's funny how kinds today have rediscovered Modula-2.

        • by MouseR ( 3264 )

          Memories. My first commercial product on Mac was in Modula-2 which was kinda big in the late 80s early 90s, until Metcom succumbed to the dark side of C and IDEs to become Metrowerks.

          Back on topic;

          Today, I work for a larger company (celebrated my 20th year there this past October) and it's become progressively harder for our group to include OpenSource products. There are more than one reason why but the biggest hurdle comes from Legal, that has to approve the licenses individually and research the backgrou

    • by raymorris ( 2726007 ) on Tuesday May 22, 2018 @04:54PM (#56655418) Journal

      When you know, or think, that your application has some open source code in it, you use Black Duck to catalog the open source code.

      When you wrote an application yourself and know you didn't use open source code, you don't go paying Black Duck to tell you what you already know.

      Of course most codebases that people use Black Duck on have open source code - that's what Black Duck is for, listing which parts are OSS. It's like saying "96% of people who called Water Leak Locators had a water leak. Well no shit, you don't hire someone to find the water leak unless you think you have a water leak.

      Occasionally, people use Black Duck to show someone else that there isn't OSS code, but normally if you don't have OSS code, you don't need to go looking for what isn't there.

      • And so reading this article, I'm wondering: If I'm worried about attackers leveraging vulnerabilities in my source code, is there any product I could buy that might help me with this new found concern?
  • by Anonymous Coward

    The fear here is that the open source components in proprietary software is going to open up vulnerabilities?

    Promoting security through obscurity are we?

    WTF is going on here?

    • by NFN_NLN ( 633283 ) on Tuesday May 22, 2018 @04:16PM (#56655260)

      Open source and security

      Open source is neither more nor less secure than custom code, the analysts noted, but there are certain characteristics of open source that make vulnerabilities in popular components very attractive to attackers.

      The main one is that, unlike commercial software, where updates are automatically pushed to users, open source has a pull support model, meaning that users are responsible for keeping track of vulnerabilities, fixes, and updates for the open source they use.

      “Open source can enter codebases through a variety of ways, not only through third-party vendors and external development teams but also through in-house developers. If an organization is not aware of all the open source it has in use, it can’t defend against common attacks targeting known vulnerabilities in those components, and it exposes itself to license compliance risk,” the analysts added.

      • by Anonymous Coward

        Meh, humbug scare piece full of broken logic and lies.

        commercial software, where updates are automatically pushed to users, open source has a pull support model

        Really? Since when does developers automatically get their components updated and push them out to their clients? All these old versions of running around the place because "critical application X needs that particular version" would seem to indicate otherwise. And open source has a pull support? Yeah, you pull your updates along with all the other updates, as opposed to certain commercial software which shall go unnamed, where you have to hunt down doz

      • unlike commercial software, where updates are automatically pushed to users

        This is nonsense. Most commercial software does NOT automatically push updates to users.

        Also, most commercial updates focus on new features (which people will pay for) rather than bug fixes and security fixes.

      • by nagora ( 177841 )

        Of course, no one has ever found that their audited, secured system has been made vulnerable by a pushed update that had a flaw in it.

    • if you don't "reinvent the wheel" make sure that you use a GOOD WHEEL.

      also if like everybody is using the same Lib then a bug in that lib is now a bug in everybody's application.

  • The number of open source components in the codebase of proprietary applications keeps rising and with it the risk of those apps being compromised by attackers leveraging vulnerabilities in them

    This has been the argument against open source for over 25 years — and it has been debunked for about that long... Are we really reading this again in 2018? Why is this FUD even on Slashdot's front page?

    • Re:Open sores? (Score:4, Informative)

      by jellomizer ( 103300 ) on Tuesday May 22, 2018 @04:54PM (#56655410)

      The open source security model works fine for an open source model.
      The closed source security model works fine for a closed source model.
      Mixing them is where the problems come up.

      The open source model works because when a flaw is found it can be fixed and pushed... Except when it is in a closed source app, so such fixes cannot be put in until the company decides to do the fix. Where it wasn't there code they may be less willing to do that.

      The closed source model relies on the fact that problems are harder to find, allowing closed source apps to get away with flaws and giving them time to fully fix and patch the systems before it goes too far.

      When you mix them. Such as closed source tools in an open source app then if a closed source problem is found, the open source app doesn't have a way to fix it, but it is public that they are using that tool. And a closed source app using an open source plugin, means there are a lot of eyes that know which particular flaw they can use.

      • by mi ( 197448 )

        Except when it is in a closed source app, so such fixes cannot be put in until the company decides to do the fix

        The same problem exists in open-source world too. Tons of packages bundle other packages inside. This is such a pervasive problem, FreeBSD, for example, has a special page instructing porters to fight it [freebsd.org] — and many still don't...

        OpenOffice used to be the worst offender, bundling just about everything (python, libxml, boost, xmlsec — you name it). Firefox and Thunderbird continue to bun

    • Re:Open sores? (Score:4, Insightful)

      by Kjella ( 173770 ) on Tuesday May 22, 2018 @05:25PM (#56655586) Homepage

      This has been the argument against open source for over 25 years â" and it has been debunked for about that long... Are we really reading this again in 2018? Why is this FUD even on Slashdot's front page?

      It's been debunked in open source software, but there are many ancient and abandoned versions of open source libraries in closed source software, either because nobody takes responsibility or they're relying on some deprecated API or custom modifications. Which is a pretty big risk when an exploit is found in the current code base, that library will get rebuilt and pushed out to Linux distributions but not your average random COTS software. But they seem to be pushing for Win10-style force fed updates, whether you like it or not. I suppose it's necessary for idiots who refuse to patch and become part of the latest botnet, but keep that far away from me...

  • Suggesting... (Score:5, Insightful)

    by El Cubano ( 631386 ) on Tuesday May 22, 2018 @04:22PM (#56655278)

    The average percentage of open source in the codebases of the applications scanned grew from 36% last year to 57%, suggesting ...

    ... that there is an increasing likelihood that the audited code bases contain more code that has received an independent peer review of some sort. Whereas, the remaining proprietary almost certainly has not received independent peer review.

    The article itself contains this bit:

    ... unlike commercial software, where updates are automatically pushed to users, open source has a pull support model, meaning that users are responsible for keeping track of vulnerabilities, fixes, and updates for the open source they use.

    That makes me wonder about some things. The article is supposedly about proprietary apps, not proprietary components. If I, as a commercial software developer, license a commercial library for something, the vendor of that library does not "push" updates into my code base. I still have to decide to upgrade (assuming my maintenance contract is current and I have that option).

    Also, they don't bother to specify whether their audit accounts for whether the developer is using the code under an open source or a commercial license. For example, Java can be used open source (as in OpenJDK) or via a commercially supported license from Oracle. They also mention license compliance risk, which is yet another red herring. Commercially licensed components also carry a compliance risk with them.

    This just seems like yet another article trying to scare engineering and development managers into purchasing the services of audit and compliance outfits. Or, put another way, nothing to see here.

    • that there is an increasing likelihood that the audited code bases contain more code that has received an independent peer review of some sort. Whereas, the remaining proprietary almost certainly has not received independent peer review.

      True, but, given what I've seen, it's not uncommon to import tens of thousands of lines of code to access one function. Definitely there is a wider attack surface.

  • Before open source development was a thing, I imagine every development outfit was an island (unless there were cross-licensing deals in place). Now that there's all this pro-quality open source code floating around, these same types of outfits are "borrowing" it for their own proprietary means at no cost to them.

    I think of a day when proprietary software is looked at with skepticism by default because it is so very likely that it contains this "borrowed" open source code. Most of that will likely be hidden

  • "The number of open source components in the codebase of proprietary applications keeps rising and with it the risk of those apps being compromised by attackers leveraging vulnerabilities in them"

    Black Duck, set up by an ex-microsoftie [wikipedia.org] specifically to FUD Open Source software. See more open source fud from Black Duck partner Microsoft [microsoft.com]. It's sad seeing slashdot reduced to spouting Microsoft propaganda, I'm glad CmdrTaco isn't around to see it.
    • by Luthair ( 847766 )

      Its very odd to me that you'd think it was about FUD. One could make an argument that Black Duck was protecting open source developers from others stealing their work.

      In terms for security these claims really shouldn't be seen as a knock on the quality of OS libraries, the reality is only trivial software can be perfect and pretty much every piece of commercial software has had security vulnerabilities.

Research is what I'm doing when I don't know what I'm doing. -- Wernher von Braun

Working...