The Percentage of Open Source Code in Proprietary Apps is Rising (helpnetsecurity.com) 60
Zeljka Zorz, writing for Help Net Security: The number of open source components in the codebase of proprietary applications keeps rising and with it the risk of those apps being compromised by attackers leveraging vulnerabilities in them, a recent report has shown. Compiled after examining the findings from the anonymized data of over 1,100 commercial codebases audited in 2017 by the Black Duck On-Demand audit services group, the report revealed two interesting findings:
96 percent of the scanned applications contain open source components, with an average 257 components per application. The average percentage of open source in the codebases of the applications scanned grew from 36% last year to 57%, suggesting that a large number of applications now contain much more open source than proprietary code.
96 percent of the scanned applications contain open source components, with an average 257 components per application. The average percentage of open source in the codebases of the applications scanned grew from 36% last year to 57%, suggesting that a large number of applications now contain much more open source than proprietary code.
"average 257 components per application." (Score:5, Insightful)
Sounds like they're using Maven or NPM. Both include a ridiculous number of transitive dependencies.
Re: (Score:2, Informative)
Re: (Score:3)
Easy for you to say when the output of "mvn dependency:tree -Dverbose" doesn't include over two thousand lines of output.
Re:"average 257 components per application." (Score:4, Informative)
"Maybe you should look into "dependency hell", a new special hell for application written in last year or two"
You must be fucking new, because Dependency hell was a thing in the 90s.
Re: (Score:2)
"Back then it was unthinkable to have a runtime linked system that automatically pulls in incompatible libraries for you."
Java existed in 1995. Just saying.
Re: (Score:2)
No, most Java dependencies do something large, complex, and buggy, and app developers pull it in anyway to do something that COULD be replaced by a trivial function.
Though I don't do much mobile programming these days, so for all I know bloated-spyware-framework-in-a-box could be open source now.
Re: (Score:2)
Its called modular software development, perhaps you should look into it?
It's funny how kinds today have rediscovered Modula-2.
Re: (Score:2)
Memories. My first commercial product on Mac was in Modula-2 which was kinda big in the late 80s early 90s, until Metcom succumbed to the dark side of C and IDEs to become Metrowerks.
Back on topic;
Today, I work for a larger company (celebrated my 20th year there this past October) and it's become progressively harder for our group to include OpenSource products. There are more than one reason why but the biggest hurdle comes from Legal, that has to approve the licenses individually and research the backgrou
Also huge selection bias (Score:5, Insightful)
When you know, or think, that your application has some open source code in it, you use Black Duck to catalog the open source code.
When you wrote an application yourself and know you didn't use open source code, you don't go paying Black Duck to tell you what you already know.
Of course most codebases that people use Black Duck on have open source code - that's what Black Duck is for, listing which parts are OSS. It's like saying "96% of people who called Water Leak Locators had a water leak. Well no shit, you don't hire someone to find the water leak unless you think you have a water leak.
Occasionally, people use Black Duck to show someone else that there isn't OSS code, but normally if you don't have OSS code, you don't need to go looking for what isn't there.
Re: (Score:1)
So, let me get this straight. (Score:1)
The fear here is that the open source components in proprietary software is going to open up vulnerabilities?
Promoting security through obscurity are we?
WTF is going on here?
Re:So, let me get this straight. (Score:4, Informative)
Open source and security
Open source is neither more nor less secure than custom code, the analysts noted, but there are certain characteristics of open source that make vulnerabilities in popular components very attractive to attackers.
The main one is that, unlike commercial software, where updates are automatically pushed to users, open source has a pull support model, meaning that users are responsible for keeping track of vulnerabilities, fixes, and updates for the open source they use.
“Open source can enter codebases through a variety of ways, not only through third-party vendors and external development teams but also through in-house developers. If an organization is not aware of all the open source it has in use, it can’t defend against common attacks targeting known vulnerabilities in those components, and it exposes itself to license compliance risk,” the analysts added.
Re: (Score:1)
Meh, humbug scare piece full of broken logic and lies.
commercial software, where updates are automatically pushed to users, open source has a pull support model
Really? Since when does developers automatically get their components updated and push them out to their clients? All these old versions of running around the place because "critical application X needs that particular version" would seem to indicate otherwise. And open source has a pull support? Yeah, you pull your updates along with all the other updates, as opposed to certain commercial software which shall go unnamed, where you have to hunt down doz
Re: (Score:1)
Because anyone with at least an arm and an eye could throw a dart at a dartboard and nail a Java-based application 9 times out of 10 that matches the criteria exactly.
Don't need to come up with concrete examples when the educated among us already had the same thought. You just need to be more educated.
Back to school for you.
Re: So, let me get this straight. (Score:2)
There are at least two internal applications in my company that fit his description perfectly. This is not unusual. Almost everyone who currently works in software encounters this phenomenon on a regular basis.
Yet you choose to be petulant and rude. You demand examples, with no awareness of what an answer would imply.
Do you really expect someone to say, "At my company - X Corp - the Y system depends on an old, known-insecure version of package Z"?
It's obvious you have no idea what you are talking a
Re: (Score:2)
Ooooooookay, suuuuuure. Keep saying that, and maybe someone will believe you. I've worked with a lot of different client companies. Big, small, new, old - they all had this issue.
Maybe you'd like to suggest a company that is blessedly free of all dependencies on obsolete software? I'm very curious to know who they are.. just in case I've seen their systems.
Where do you see me, or anyone else here, asking "the industry" to address this issue? You don't, because you made that up. Because you like to he
Re: (Score:2)
"Still couldn't come up with a concrete example, your patronising weasel words only make you look incompetent."
No, you apparently failed to understand what I said, so no, you're the incompetent one, as I gave an example, actually by a percentage. 9 out of 10 Java-written programs. The only Java programs that don't suffer are the ones that get compiled with something like Excelscior-JET so everything required is contained within the binary and isn't dependent upon external libraries which may or may not get
Re: (Score:3)
unlike commercial software, where updates are automatically pushed to users
This is nonsense. Most commercial software does NOT automatically push updates to users.
Also, most commercial updates focus on new features (which people will pay for) rather than bug fixes and security fixes.
Re: (Score:2)
Of course, no one has ever found that their audited, secured system has been made vulnerable by a pushed update that had a flaw in it.
Re: (Score:2)
if you don't "reinvent the wheel" make sure that you use a GOOD WHEEL.
also if like everybody is using the same Lib then a bug in that lib is now a bug in everybody's application.
Open sores? (Score:1)
This has been the argument against open source for over 25 years — and it has been debunked for about that long... Are we really reading this again in 2018? Why is this FUD even on Slashdot's front page?
Re:Open sores? (Score:4, Informative)
The open source security model works fine for an open source model.
The closed source security model works fine for a closed source model.
Mixing them is where the problems come up.
The open source model works because when a flaw is found it can be fixed and pushed... Except when it is in a closed source app, so such fixes cannot be put in until the company decides to do the fix. Where it wasn't there code they may be less willing to do that.
The closed source model relies on the fact that problems are harder to find, allowing closed source apps to get away with flaws and giving them time to fully fix and patch the systems before it goes too far.
When you mix them. Such as closed source tools in an open source app then if a closed source problem is found, the open source app doesn't have a way to fix it, but it is public that they are using that tool. And a closed source app using an open source plugin, means there are a lot of eyes that know which particular flaw they can use.
Re: (Score:3)
The same problem exists in open-source world too. Tons of packages bundle other packages inside. This is such a pervasive problem, FreeBSD, for example, has a special page instructing porters to fight it [freebsd.org] — and many still don't...
OpenOffice used to be the worst offender, bundling just about everything (python, libxml, boost, xmlsec — you name it). Firefox and Thunderbird continue to bun
Re:Open sores? (Score:4, Insightful)
This has been the argument against open source for over 25 years â" and it has been debunked for about that long... Are we really reading this again in 2018? Why is this FUD even on Slashdot's front page?
It's been debunked in open source software, but there are many ancient and abandoned versions of open source libraries in closed source software, either because nobody takes responsibility or they're relying on some deprecated API or custom modifications. Which is a pretty big risk when an exploit is found in the current code base, that library will get rebuilt and pushed out to Linux distributions but not your average random COTS software. But they seem to be pushing for Win10-style force fed updates, whether you like it or not. I suppose it's necessary for idiots who refuse to patch and become part of the latest botnet, but keep that far away from me...
Re: Open sores? (Score:2)
Sounds like the main problem is companies that are too cheap, lazy, and/or incompetent to update their proprietary shitware.
Suggesting... (Score:5, Insightful)
The average percentage of open source in the codebases of the applications scanned grew from 36% last year to 57%, suggesting ...
... that there is an increasing likelihood that the audited code bases contain more code that has received an independent peer review of some sort. Whereas, the remaining proprietary almost certainly has not received independent peer review.
The article itself contains this bit:
... unlike commercial software, where updates are automatically pushed to users, open source has a pull support model, meaning that users are responsible for keeping track of vulnerabilities, fixes, and updates for the open source they use.
That makes me wonder about some things. The article is supposedly about proprietary apps, not proprietary components. If I, as a commercial software developer, license a commercial library for something, the vendor of that library does not "push" updates into my code base. I still have to decide to upgrade (assuming my maintenance contract is current and I have that option).
Also, they don't bother to specify whether their audit accounts for whether the developer is using the code under an open source or a commercial license. For example, Java can be used open source (as in OpenJDK) or via a commercially supported license from Oracle. They also mention license compliance risk, which is yet another red herring. Commercially licensed components also carry a compliance risk with them.
This just seems like yet another article trying to scare engineering and development managers into purchasing the services of audit and compliance outfits. Or, put another way, nothing to see here.
Re: (Score:2)
True, but, given what I've seen, it's not uncommon to import tens of thousands of lines of code to access one function. Definitely there is a wider attack surface.
Re: (Score:2)
For compiled code, sure. For JS/PHP/etc all the code is there (and possibly malconfigured.)
Re: (Score:2, Insightful)
Open Source != GPL. A lot of the software mentioned here very well could be more permissive license. Consider how much software uses OpenSSL(and usually packages their own version with it).
So this is good, right? (Score:2)
Before open source development was a thing, I imagine every development outfit was an island (unless there were cross-licensing deals in place). Now that there's all this pro-quality open source code floating around, these same types of outfits are "borrowing" it for their own proprietary means at no cost to them.
I think of a day when proprietary software is looked at with skepticism by default because it is so very likely that it contains this "borrowed" open source code. Most of that will likely be hidden
Attack of the Black Duck open source FUD .. (Score:1)
Black Duck, set up by an ex-microsoftie [wikipedia.org] specifically to FUD Open Source software. See more open source fud from Black Duck partner Microsoft [microsoft.com]. It's sad seeing slashdot reduced to spouting Microsoft propaganda, I'm glad CmdrTaco isn't around to see it.
Re: (Score:2)
Its very odd to me that you'd think it was about FUD. One could make an argument that Black Duck was protecting open source developers from others stealing their work.
In terms for security these claims really shouldn't be seen as a knock on the quality of OS libraries, the reality is only trivial software can be perfect and pretty much every piece of commercial software has had security vulnerabilities.
Re: Exploiting other peoples work (Score:1)
GPL is too weak. Use AGPL instead.