Open Menu
Synopsys Study Shows Open Source Security Top-of-Mind but Patching Too Slow
| | More EDA News

Global survey of 1,500 IT professionals finds that 40% of respondents worldwide had delivery schedules disrupted to address open source vulnerabilities

MOUNTAIN VIEW, Calif., Dec. 8, 2020 — (PRNewswire) —   Synopsys, Inc. (Nasdaq: SNPS) today released the report, DevSecOps Practices and Open Source Management in 2020. Produced by the  Synopsys Cybersecurity Research Center (CyRC), the report highlights the findings from a survey of 1,500 IT professionals working in cyber security, software development, software engineering, and web development. The report explores the strategies that organizations around the world are using to address open source vulnerability management as well as the growing problem of outdated or abandoned open source components in commercial code.

Open source plays a critical role in today's software ecosystem. The overwhelming majority of modern codebases contain open source components, with open source often comprising 70% or more of the overall code. Yet paralleling the growth of open source use is the mounting security risk posed by unmanaged open source. In fact, according to the 2020 OSSRA report, 75% of the codebases audited by Synopsys contain open source components with known security vulnerabilities. To combat this situation, respondents to the survey cite identification of known security vulnerabilities as the number one criterion when vetting new open source components.

"It's clear that unpatched vulnerabilities are a major source of developer pain, and ultimately business risk." said Tim Mackey, principal security strategist of the Synopsys Cybersecurity Research Center. "The 'DevSecOps Practices and Open Source Management in 2020' report highlights how organizations are struggling to effectively track and manage their open source risk."

"Over half—51%—say it takes two to three weeks for them to apply an open source patch," Mackey continued. "This is likely tied to the fact that only 38% are using an automated software composition analysis (SCA) tool to identify which open source components are in use and when updates are released. The remaining organizations are probably employing manual processes to manage open source—processes that can slow down development and operations teams, forcing them to play catch-up on security in a climate where, on average, dozens of new security disclosures are published daily."

Other noteworthy findings in the "DevSecOps Practices and Open Source Management in 2020" report include:

  • DevSecOps is rapidly growing worldwide. A combined 63% of respondents reported that they are incorporating some measure of DevSecOps activities into their software development pipelines.
  • There is no universally adopted application security testing (AST) tool. As the responses to the survey questions indicate, there is no shortage of application security testing tools and techniques. However, even the AST tool with the highest adoption rate is still only utilized by less than half of respondents.
  • The media plays an important role in open source risk management. Forty-six percent of respondents noted that media coverage had prompted their organization to apply more stringent controls on open source usage.
  • Forty-seven percent of respondents are defining standards around the age of open source components they use. A growing issue in the open source community is project sustainability. A 2020 Synopsys study showed that 91% of codebases audited in 2019 contained open source components that either were more than four years out of date or had no development activity in the past two years. Security risks increase when obsolete code is deployed, including the threat of an open source component being hijacked. Such a situation occurred in 2018 when the event-stream component was hijacked to target Bitcoin in Copay accounts.

To learn more, download a copy of the DevSecOps Practices and Open Source Management in 2020 report.

About the Synopsys Software Integrity Group

Synopsys Software Integrity Group helps development teams build secure, high-quality software, minimizing risks while maximizing speed and productivity. Synopsys, a recognized leader in application security, provides static analysis, software composition analysis, and dynamic analysis solutions that enable teams to quickly find and fix vulnerabilities and defects in proprietary code, open source components, and application behavior. With a combination of industry-leading tools, services, and expertise, only Synopsys helps organizations optimize security and quality in DevSecOps and throughout the software development life cycle. Learn more at  www.synopsys.com/software.

About Synopsys

Synopsys, Inc. (Nasdaq: SNPS) is the Silicon to Software™ partner for innovative companies developing the electronic products and software applications we rely on every day. As the world's 15th largest software company, Synopsys has a long history of being a global leader in electronic design automation (EDA) and semiconductor IP and is also growing its leadership in software security and quality solutions. Whether you're a system-on-chip (SoC) designer creating advanced semiconductors, or a software developer writing applications that require the highest security and quality, Synopsys has the solutions needed to deliver innovative, high-quality, secure products. Learn more at  www.synopsys.com.

 

Editorial Contact:
Mark Van Elderen
Synopsys, Inc.
650-793-7450
mark.vanelderen@synopsys.com

 

Cision View original content: http://www.prnewswire.com/news-releases/synopsys-study-shows-open-source-security-top-of-mind-but-patching-too-slow-301188351.html

SOURCE Synopsys, Inc.

Contact:
Company Name: Synopsys, Inc.
Web: http://www.synopsys.com
Financial data for Synopsys, Inc.

Related News
Verific and DARPA Sign Partnership for Streamlined Access to Industry-Standard SystemVerilog EDA Software
UVM Reference Implementation Aligned with IEEE 1800.2-2020 Standard
Samsung Foundry Certifies Cadence System Analysis and Advanced Packaging Design Tool Flow for 2.5/3D Chip Designs
Synopsys Initiates $250 Million Accelerated Share Repurchase Agreement
Synopsys Introduces Improved Illumination Optics Design with New LightTools Version
Intel, Microsoft, IBM Technologists Elected to Si2 OpenAccess Coalition Leadership Posts
More News 
Featured Video








Submit | More Videos 
Sponsored Videos
Submit | More Videos 
Editorial
Editorial Archives 
Latest Blog Posts
Sanjay GangalMCADCafe Editorial
by Sanjay Gangal
Navigating the Evolution of Additive Manufacturing: Insights from the 2024 RAPID+TCT Executive Panel
Sanjay GangalMCADCafe Editorial
by Sanjay Gangal
SPEE3D Unveils Titan SPEE3D: A New Era in Large-Format Metal 3D Printing
More MCAD Blogs 
Jobs
Senior Principal Mechanical Engineer for General Dynamics Mission Systems at Canonsburg, Pennsylvania
Geodetic Analyst, GIS Center (1282) for Idaho State University at Pocatello, Idaho
GEOGRAPHIC INFORMATION SYSTEM (GIS) COORDINATOR for Lassen County at Susanville, California
GIS Analyst for San Bernardino County Transportation Authority at San Bernardino, California
Submit Resume | Post Jobs | More Jobs 
Upcoming Events
IMTS 2024 – The International Manufacturing Technology Show at McCormick Place 2301 S Lake Shore Dr Chicago IL - Sep 9 - 14, 2024
FABTECH Orlando 2024 at Orange County Convention Center Orlando FL - Oct 15 - 17, 2024
TIMTOS 2025 at Nangang Exhibition Center Hall 1 & 2 (TaiNEX 1 & 2) TWTC Hall Taipei Taiwan - Mar 3 - 8, 2025
Submit | More Events 



© 2024 Internet Business Systems, Inc.
670 Aberdeen Way, Milpitas, CA 95035
+1 (408) 882-6554 — Contact Us, or visit our other sites:
AECCafe - Architectural Design and Engineering EDACafe - Electronic Design Automation GISCafe - Geographical Information Services TechJobsCafe - Technical Jobs and Resumes ShareCG - Share Computer Graphic (CG) Animation, 3D Art and 3D Models
  Privacy PolicyAdvertise