Navigating the Open Source Risk Landscape

Navigating the Open Source Risk Landscape

Synopsys
Published by: Research Desk Released: Nov 14, 2019

Whether your organization is in the business of building software or you’re an enterprise that uses software to support your business, that
software is typically a mix of commercial off-the-shelf packages, custom-built codebases, and open source software.

Open source software forms the backbone of nearly every application in every industry. Analysts such as Forrester and Gartner note that
over 90% of IT organizations use open source software in mission-critical workloads and that open source components compose up to
90% of new applications.

According to the 2019 Red Hat State of Enterprise Open Source report, over 69% of enterprises surveyed felt that their use of open source
was “very important.” The 2019 Synopsys Open Source Security and Risk Analysis (OSSRA) report, examining findings from the audit data of over 1,200 commercial applications scanned in 2018, found open source in over 96%.

Open source gives application development teams the freedom they need to focus on their unique code by leaving underlying functionality
to components from the open source community. The benefits are many: High-quality software at zero cost. Enhanced developer speed
and agility. Access to the expertise of a global open source community when issues arise.

But most companies haven’t implemented the processes and tools needed to manage the risk that is a by-product of their developers’ use
of open source. For example, 40% of the applications examined in the Synopsys OSSRA report contained high-risk open source security
vulnerabilities. What’s more, 43% of the applications contained open source vulnerabilities over 10 years old.

Open source use isn’t risky, but unmanaged use of open source is. If you can’t produce an accurate inventory of the licenses, versions, and
patch status of the open source components used in your applications, it’s time to assess your open source management policies.

This paper provides insights and recommendations to help organizations and their development and IT teams better manage the open
source risk landscape.cv