Open source software offers enterprises speed, efficiency and cost savings—starting with acquisition and extending to rapid deployment and support. And it’s ubiquitous. Did you know that your BFF Netflix is built on open-source software?
According to Linux Foundation’s estimates, teams that use OSS can save more than 50% on costs incurred from purchasing commercial solutions. But open source users also face some serious challenges and responsibilities—just ask Equifax, another well-known brand. As we saw with the Struts vulnerabilities that ultimately exposed Equifax, software quality issues that prevail in open source components are more easily exploitable by hackers.
We’ve Put OSS to the Test
So even though evangelists are quick to cite reliability and enhanced security among the established virtues of OSS, the category warrants constant scrutiny: OSS can and should be subject to the same rigors the development community applies to commercial and proprietary software. That’s why we’ve created the Software Intelligence Report on Open Source Software Projects. I’ve worked closely with CAST team members Michael Muller and Nagaraja Adiga on this evaluation of OSS structural quality–the first of what we plan to be a regular series of in-depth analyses, timed to current events and trends in the development world.
And we’re very interested in feedback from the open source community. If you have any comments on the findings of our research, please let us know!
It’s incredibly important for organizations to have visibility into the quality of OSS that supports business applications. With this in mind, the Software Intelligence Report benchmarks the overall quality of OSS compared to software built in-house or by outsourced teams. The report looks to identify software risks—like the ones that have put Equifax and other organizations on the defensive.
OSS Security: Serious Highs and Lows
Our deep dive into 61 different open source projects–75,000 source files and 8.9 million lines of code–was particularly preoccupied with security issues.
The good news is that OSS scores 93% compliance among those projects analyzed—7% higher than overall industry findings. However, six OSS applications in the report score lower than the four purposely non-secure applications on the rosters. These significant outliers are at high risk of being exploited by hackers.
We looked into the software health of various OSS apps by breaking them into categories. The highest scoring apps include Analytics (99.2%!), Framework, Cloud/DevOps, while the low scorers include Blockchain, programming language and Database apps.
Adding to these gaps, we found that OSS Frameworks scored worst on system-level rules. This can lead to more prevalent outages and successful hacker activity (ex. the Equifax breach). Frameworks—the basis for business applications– are probably some of the more exploited OSS, and hackers know that. This also supports the statistic that system-level rule violations are the root cause of more than 90% of outages in production.
Other critical metrics in the report include:
The Looming Question: So What about Bitcoin?
Blockchain applications score great on robustness, as noted here, but poor on efficiency and security. So does this low efficiency score have implications for the future of Bitcoin mining? That process is designed to be resource intensive and difficult, so the number of blocks mined each day remains steady. Our findings also confirm that Blockchain apps are more secure as part of a distributed ledger and can handle heavier workloads—they’re nearly impossible to crash.
Explore the Findings
Looking at our overall research, we acknowledge that the vulnerabilities we’ve identified aren’t necessarily definitive—but they’re directional. Read them for yourself. We hope you’ll agree that as OSS continues to proliferate, gathering software intelligence on these apps must become an essential enterprise best practice.
Erik Oltmans, an Associate Partner from EY, Netherlands, spoke at the Software Intelligence Forum on how the consulting behemoth uses Software Intelligence in its Transaction Advisory services.
Erik describes the changing landscape of M & A. Besides the financial and commercial aspects, PE firms now equally value technical assessments, especially for targets with significant software assets. He goes on to detail how CAST Highlight makes these assessments possible with limited access to the targetâ€™s systems, customized quality metrics, and liability implications of open source components - all three that are critical for an M&A due diligence.