• United States



Senior Editor

Open source security risks persist in commercial software [Infographic]

Apr 26, 20171 min
Application SecurityOpen SourceSecurity

Black Duck’s second annual Open Source Security and Risk Analysis report shows that commonly used infrastructure components have high-risk vulnerabilities.

Whatever commercial software your company uses, it probably contains open source code. Black Duck Software recently completed its second Open Source Security and Risk Analysis (OSSRA) report based on security audits of anonymized data from more than 1,000 applications in 2016 and found that 96 percent used open source code. The analysis was done by Black Duck’s Center for Open Source Research and Innovation (COSRI).

The use of open source occurs in all industries by organizations of all sizes for good reason. It lowers development costs, speeds time to market, and accelerates innovation. Black Duck’s On-Demand audits found that on average, open source comprised 36 percent of the code base in the scanned applications.

Applications have become dependent on some open source components. By far the most popular is jQuery, which makes it easier to use JavaScript on websites. It was present in 58 percent of audited applications. The ubiquity of such components makes them targets for attacks from those seeking to exploit security vulnerabilities.

Excerpts from the COSRI analysis in the infographic below includes insights and recommendations to help organizations and their security, risk, legal, and development teams better understand the open source security and license risk landscape.

black duck open source chart Black Duck Software