Black Duck’s second annual Open Source Security and Risk Analysis report shows that commonly used infrastructure components have high-risk vulnerabilities. Whatever commercial software your company uses, it probably contains open source code. Black Duck Software recently completed its second Open Source Security and Risk Analysis (OSSRA) report based on security audits of anonymized data from more than 1,000 applications in 2016 and found that 96 percent used open source code. The analysis was done by Black Duck’s Center for Open Source Research and Innovation (COSRI).The use of open source occurs in all industries by organizations of all sizes for good reason. It lowers development costs, speeds time to market, and accelerates innovation. Black Duck’s On-Demand audits found that on average, open source comprised 36 percent of the code base in the scanned applications.Applications have become dependent on some open source components. By far the most popular is jQuery, which makes it easier to use JavaScript on websites. It was present in 58 percent of audited applications. The ubiquity of such components makes them targets for attacks from those seeking to exploit security vulnerabilities.Excerpts from the COSRI analysis in the infographic below includes insights and recommendations to help organizations and their security, risk, legal, and development teams better understand the open source security and license risk landscape. Black Duck Software Related content brandpost Unmasking ransomware threat clusters: Why it matters to defenders Similar patterns of behavior among ransomware treat groups can help security teams better understand and prepare for attacks By Joan Goodchild Sep 21, 2023 3 mins Cybercrime news analysis China’s offensive cyber operations support “soft power” agenda in Africa Researchers track Chinese cyber espionage intrusions targeting African industrial sectors. By Michael Hill Sep 21, 2023 5 mins Advanced Persistent Threats Cyberattacks Critical Infrastructure brandpost Proactive OT security requires visibility + prevention You cannot protect your operation by simply watching and waiting. It is essential to have a defense-in-depth approach. By Austen Byers Sep 21, 2023 4 mins Security news Gitlab fixes bug that exploited internal policies to trigger hostile pipelines It was possible for an attacker to run pipelines as an arbitrary user via scheduled security scan policies. By Shweta Sharma Sep 21, 2023 3 mins Vulnerabilities Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe