Blog 144 # Open Source Under the Microscope: How the World Relies on Open Source Libraries

Open-source software (OSS) is the backbone of modern technology, powering everything from financial systems to critical infrastructure. However, a recent study titled "Census II of Free and Open Source Software – Application Libraries" by The Linux Foundation and Harvard’s Lab for Innovation Science sheds light on the growing security risks surrounding these widely used libraries.

Open Source’s Influence on Commercial Software Research shows that 70% to 90% of modern commercial software relies heavily on OSS. A Synopsys audit found that 98% of the codebases in reviewed applications contained open-source components. This means that most of the software used today, from simple apps to critical enterprise systems, depends on open-source libraries.

This dependency, while cost-effective and innovation-friendly, exposes companies to significant security risks. With OSS being incorporated into most software, vulnerabilities in even a single component can have a ripple effect across the global digital ecosystem.

Key Findings from Census II:

1. Critical Dependencies: Over 1,000 crucial OSS libraries are integral to the applications we rely on today.
2. Small Developer Base: A mere 136 developers are responsible for maintaining 80% of the code in the top 50 OSS packages.
3. Vulnerability Gaps: Many organizations delay or fail to patch known vulnerabilities, with 80% of companies not updating their open-source components when security issues are identified (Veracode).

The Commercial Impact:

• According to Gartner, 75% of enterprises running mission-critical applications use OSS.
• OpenLogic’s 2023 report further indicates that over 85% of organizations use OSS in production environments, highlighting the pervasive nature of OSS in enterprise IT.

Why This Matters The combination of OSS’s ubiquity and the lack of formal governance in many organizations heightens cybersecurity risks. The Log4Shell vulnerability is a prime example of how a single flaw in an open-source component can trigger a global cybersecurity incident, affecting thousands of enterprises and millions of end-users.

To reduce this risk, businesses must invest in open-source governance tools like Software Bill of Materials (SBOM) and adopt automated vulnerability scanning solutions. This ensures that vulnerabilities are identified and patched promptly.

For more details and in-depth insights, explore the full Census II report.

Final Thoughts As the software world increasingly relies on OSS, it’s clear that 70% to 90% of commercial software now contains open-source components. Organizations must strengthen their security postures by managing OSS dependencies responsibly. Failure to do so may result in widespread vulnerabilities, posing a threat to critical business operations and global digital infrastructures.

Stay ahead of the curve by subscribing to The Bitter Truth: CyberSecurity Edition for ongoing updates on how to safeguard your OSS dependencies and ensure robust cybersecurity practices.