As open source code becomes more prevalent in both commercial and home-grown applications, the number of attacks based on its vulnerabilities will increase by 20 percent this year, predicted Black Duck Software, which collects statistics about open source projects.
The number of commercial software projects that were composed of 50 percent or more of free, open source software went up from 3 percent in 2011 to 33 percent today, said Mike Pittenger, vice president of security strategy at Black Duck Software.
The average commercial application uses more than 100 open source components, he said, and two-thirds of commercial applications have code with known vulnerabilities in it.
Worst of all, there's often no way for buyers to know what open source components are in the software they're buying.
"Typically, companies aren't very forthcoming," he said. When they do provide customers with a list of components, it's usually incomplete. "And if you were to scan a binary without the vendor's permission, you could very well be violating their license agreement and could get yourself into a lot of trouble."
Some large corporate buyers may have the leverage to ask vendors for full disclosure, and scans by third parties like Black Duck.
Avoiding open source software isn't an option. Many open source libraries are de facto industry standards, and writing the same code from scratch takes time, which delays time to market and hurts a company's competitiveness. As a result, the trend of commercial software vendors using open source code is accelerating, said Pittenger.
The same logic applies to enterprises building software in-house, said Ed Moyle, director of thought leadership and research at ISACA, a global organization for cybersecurity professionals.
"There also is a wealth of community support for an active project, which brings with it a reliable stream of security and feature updates," he added. "For certain situations, there is a security advantage in being able to audit the codebase, and of course the ability to heavily customize the software. A good rule of thumb is that if there’s a commercial tool to do something, there’s probably an open source tool that offers a similar feature set."
However, the "many eyes" approach to checking open source code for vulnerabilities doesn't always work.
"Anyone can audit the code, but it seems to be that everyone assumes that someone else will audit it, and nobody does," said Javvad Malik, security advocate at AlienVault. "So this is an issue."
As a result, managing open source components is quickly growing in a very thorny problem -- and the bad guys are aware of this.
Open source code is ubiquitous, so the attackers can go after a large number of targets with the same exploit. Because of the difficulties of tracking open source code, users often don't make patches and updates, so hackers can take advantage of known vulnerablities and published examples of exploits.
The growth of the Internet of Things has also become a major security issue last year, and will continue to be a problem this year, experts predict.
"A lot of open source is being used in smart devices and the Internet of Things, and that's what happened with the Mirai botnet," Malik said.
Meanwhile, developers often don't check open source code for vulnerabilities, or suspect that there are problems but use it anyway due to deadline pressures. So not only are unpatched vulnerabilities still hanging around, but new code is written with old, known vulnerabilities already built in, said Black Duck's Pittenger.
The average age of a vulnerability in a commercial software project was five years, he said.
The Heartbleed bug was discovered in the OpenSSL library in early 2014 and was highly publicized. But last year, it was still present in 10 percent of the applications tested.
Plus, between 2,000 and 4,000 new open source vulnerabilities are discovered every year, Pittenger added.
Fixing the problem will require action by software vendors and by their customers, as well as security awareness on the part of enterprise software developers -- but it is likely to get worse before it starts to get better.