You’re Using More Open-Source Than You Realise

Written by Edwin Kwan.

Published initially on Cyberbakery.net https://www.cyberbakery.net/youre-using-more-open-source-than-you-realise/

My recent conference presentation on open-source security revealed a common theme. Audience members didn’t realise how pervasive open-source is. Everyone in the audience knew that their organisation uses a fair number of open-source components. Still, they thought that it only makes up a small percentage of their applications, at around 30% or less.

The truth is that open-source makes up the bulk of your applications. Industry reports have estimated that 85% of modern applications are built from open-source components. The percentage is higher for modern JavaScript web applications, with 97% of the code coming from open-source components. My analysis has found those numbers to be a low estimate, with the percentage for Java applications at around 98%. Surprisingly, around three-quarters of those open-source components were not explicitly incorporated into their applications; they were transitive dependencies. And with organisations embracing generative AI for software development, their developers might write less than 2% of custom code.

Our use of open-source software is growing exponentially, with download requests exceeding 4 trillion last year, almost doubling from two years ago. But a critical caveat exists, not all open-source offerings are created equal. Around 500 billion download requests made last year were for components with known risk. This is around 1 in 8 downloads of components with one or more identified security vulnerabilities. Log4j is one such component. It had a critical vulnerability disclosed in December 2021 and resulted in most organisations enacting their incident response plans. Today, around 35% of download requests for log4j are for vulnerable versions. That’s 1 in 3 downloads. Why are we still downloading open-source components with known risk, especially components like log4j? I believe that most organisations are unaware of their open-source consumption, especially for transitive dependencies.

Do you know your organisation’s open-source consumption? Do you have a software bill of materials? If you don’t, you probably use more open source than you realise.

By taking proactive steps to illuminate and manage open-source usage, organisations can harness the power of open-source while mitigating associated security risks.