• Resources
  • Directory
  • Webinars
  • CAD Models
  • Video
  • Blogs
  • More Publications
  • Advertise
    • Synopsys Ossra Promo
    1. Technologies
    2. Embedded

    Open Source vs. Security and Risk: An Analysis Report

    April 19, 2022
    Synopsys’ Open Source Security and Risk Analysis report highlights the good and the bad.
    Related To: Electronic Design

    This article is part of the TechXchange: Cybersecurity

    What you’ll learn

    • What types of vulnerabilities exist in open-source software?
    • What licensing issues are affecting application development?

    Synopsys is in the software business and safety and security are areas that the company focuses on.

    This year’s annual 2022 Open Source Security and Risk Analysis (OSSRA) report, which you can download, has good and bad things to disclose. The results were based on an audit of 2,409 open-source projects. Many of the issues and observations will be applicable to closed-source solutions as well, but a significant amount of software now depends on open-source support.

    The general trend indicates the overall open-source codebase vulnerability is dropping (Fig. 1). There was a 3% decrease in high-risk vulnerabilities per codebase. Unfortunately, “88% of the codebases contained components that had no new development in the past two years, and these were behind in user updates.”

    1. According to Synopsys’s report, vulnerability numbers are improving. (Courtesy of Synopsys)
    1. According to Synopsys’s report, vulnerability numbers are improving. (Courtesy of Synopsys)

    Overall, almost 80% of the codebases were open source and almost the same percentage had at least one vulnerability (Fig. 2). Likewise, a significant number of projects experienced licensing issues. This is often due to the different licenses that are associated with components in an open-source project. A license that covers an application must take into consideration the licenses and limitations of its components.

    2. The audit found a significant number of codebases with issues. Over half of the audited codebases had licensing issues as well. (Courtesy of Synopsys)
    2. The audit found a significant number of codebases with issues. Over half of the audited codebases had licensing issues as well. (Courtesy of Synopsys)

    The report lists the top 10, which include errors like incorrect cryptographic algorithms (CVE-2020-187) and default permissions issues (CVE0-202-8022). The report runs down the CVE numbers as well as Synopsys’s Black Duck Security Advisories (BSDA).  

    Security, and hence safety, problems continue to plague the software industry. Problems like log4j’s security issue are commonplace and can affect a large number of developers and products because of the widespread use of open-source software, whose maintenance and design is often nebulous.

    The advantage of open-source software is availability. The challenge is its quality and maintenance. As noted in Robert Heinlein’s science fiction novel, The Moon is a Harsh Mistress, there’s no such thing as a free lunch (TINSTAAFL).

    Certain tools and services can greatly improve the support and maintenance of open-source software. This includes license tracking and management, which can be difficult when a variety of licenses cover different software components.

    Read more articles in the TechXchange: Cybersecurity

    Continue Reading

    Sponsored Recommendations

    What are the Important Considerations when Assessing Cobot Safety?

    April 16, 2024
    A review of the requirements of ISO/TS 15066 and how they fit in with ISO 10218-1 and 10218-2 a consideration the complexities of collaboration.

    Wire & Cable Cutting Digi-Spool® Service

    April 16, 2024
    Explore DigiKey’s Digi-Spool® professional cutting service for efficient and precise wire and cable management. Custom-cut to your exact specifications for a variety of cable ...

    DigiKey Factory Tomorrow Season 3: Sustainable Manufacturing

    April 16, 2024
    Industry 4.0 is helping manufacturers develop and integrate technologies such as AI, edge computing and connectivity for the factories of tomorrow. Learn more at DigiKey today...

    Connectivity – The Backbone of Sustainable Automation

    April 16, 2024
    Advanced interfaces for signals, data, and electrical power are essential. They help save resources and costs when networking production equipment.

    Comments

    To join the conversation, and become an exclusive member of Electronic Design, create an account today!