In the fourth edition of the “2019 Open Source Security and Risk Analysis,” security provider Synopsys revealed a number of trends relating to open source security, licensing and compliance. Many of the trends proved to be positive — but there is also some negative. Among the misconceptions is a common misunderstanding of how open source code is used and shared.
“Once you pull back the onion, what we’ve found it is that people often think that if there’s a vendor of open source. They are accustomed to thinking about how to bring in software libraries in one form or another into your supply chain,” Tim Mackey, principal security strategist for the Synopsys Security Research Center, said. “‘They say, well, I go to Microsoft and I buy the code, and I buy the compiler that comes with these things. And Microsoft knows I exist because I bought this… I kind of push back and say ‘that’s not how open source works.'”
In this interview recorded during Dockercon in San Francisco, hosted The New Stack founder and editor in chief Alex Williams, Mackey discussed other findings of the report.
“A shifting the paradigm to being engaged is really where we’re seeing the companies that did well understood that I have to be engaged within the open source community, I have to be willing to invest and develop the time to understand what the latest and greatest evolution of Kubernetes or Docker,” Mackey said.
The Synopsys report is “technically a reflection of the use of open source, the composition of open source building up to today’s application stack,” Mackey said. “So, if I’m developing a commercial application, I’m not just writing my own code,” Mackey said. “I’m going to use the libraries that are available from open source. I’m going to be building frameworks that are available to me that give me all of the value that I want to have.”
Among the positive takeaways, “the code is very much working,” Mackey said. “We’re seeing growth in open source adoption. We had an uptick in the number of open source components per code base last year, which was pretty significant,” Mackey said. “We also saw a decrease in the number of vulnerabilities that were unpatched, those are all positives.”
At the same time, Mackey said: “We did see our share of negatives, as you kind of expect, one of the most notable being that we had a pretty substantial number of components that were just ancient — they were four years old, there was no development during the last couple years.” Mackey said. “And with the velocity of everything today, that is truly ancient.”
At the end of the day, it’s about contributing to the community, Mackey said. “You absolutely have to be part of the community to run open source components,” Mackey said. “You have to understand what your critical components are.”