Open source software usage is growing across all industries, but this year’s Open Source Security and Risk Analysis (OSSRA) report from Black Duck shows the pervasiveness of security vulnerabilities and license compliance risks. Black Duck conducted audits on more than 1,000 commercial applications in 2016 and analyzed the anonymized data. The audits were primarily related to merger and acquisition transactions but span a wide array of industries, such as healthcare, manufacturing, financial services, aerospace, aviation, and retail. Open source security and license compliance issues can both pose serious financial threats to a company. Black Duck’s findings show 96% of applications scanned include open source software and the average app included 147 unique open source components. The majority of these applications (67%) contained security issues which have been publicly known for an average of four years. These included high-risk and well-known vulnerabilities such as Poodle, Freak, Drown, and Heartbleed.
License compliance issues were even more widespread than the security issues. Black Duck’s audits found 85% of the applications had components with license conflicts.