Experts have suggested that it is important to have a comprehensive understanding of open source, which has become an essential element of development, and to establish a plan for its continuous management. According to the opinion, 81% of open source projects are vulnerable to security, and 88% of organizations lack the latest updates, requiring continuous management.

Synopsys Korea, a global application security company, released its 'OSSRA (Open Source Security and Risk Analysis)' report on the 30th and held an online meeting to discuss the open source ecosystem and explain its business direction and strategy.

This symposium consisted of the following: △Welcome remarks (Geok Cheng Tan, Managing Director, APAC SIG.), △Synopsys corporate introduction and business strategy (Director Jeon So-hyun), △OSSRA report and introduction of open source security ecosystem and risk analysis (Manager Je Byeong-ju), and △Q&A session.

Vice President Je Byeong-ju argued that it is important to establish vulnerability management, license management, and version management plans for open source, an essential element of development, in his presentation titled 'Introduction to the OSSRA Report and Open Source Security Ecosystem and Risk Analysis.'

Published by Synopsys for the 7th time since 2018, OSSRA is a report that contains an analysis of approximately 2,400 commercial code bases in 17 industries worldwide through the global OSS license management solution, 'Black Duck Audit Services'.

According to the 2022 OSSRA report, open source is used in 97% of projects across industries worldwide, and 81% of these have at least one known open source vulnerability.
Based on the OSSRA report, my manager covered the following: △Open source vulnerability ratio, △High-risk vulnerability ratio, △Log4Shell vulnerability ratio, △Code ratio with license conflicts, and △Maintenance update status.

The survey, which spans a range of industries including enterprise and SaaS, found a 64% increase in target code bases compared to last year, driven by a more than doubling in annual global mergers and acquisitions in the technology and telecom industries compared to the previous year.

The report shows that the open source ratio of all codes was 78%, which is somewhat high in the IoT field. Among these, the ratio of open source with vulnerabilities reached 81%, and jQuery is among the major open sources. High-risk vulnerabilities account for 49%, or half of all projects.

In major industries, marketing, energy, healthcare, etc., there was a decrease compared to last year, but in semiconductors, IoT, mobile, robotics, etc., the risk increased rapidly along with market growth. In the end, although there are slight differences by industry, it was revealed that overall, about half of those using open source are at risk of being exploited by hackers. In particular, the Log4Sgell vulnerability was a vulnerability that occurred in open source log4j, and it was revealed that it accounted for 15% of the total.

A report on open source license management found that 53% of codes had license conflicts between open source codes. He added that 30% of open source is unlicensed or has custom licenses, which can lead to unexpected legal disputes and therefore requires a separate internal review process.

In terms of open source maintenance, efforts to address open source vulnerabilities showed a decrease compared to last year, but it was revealed that more than half of the codebase still had license conflicts and close to half of the code contained high-risk vulnerabilities.

The percentage of open source that was not the latest version reached 88%, and only 16% were using the latest version or a project from less than a year ago. Regarding this, my manager said, "Even if you build a new version that fixes security vulnerabilities, if you neglect version management and leave it alone, you will be exposed to more and more vulnerabilities."

My manager recommended that in order to resolve open source security vulnerabilities, we first remove problematic open source from the development stage, and create an SBOM (a label that makes it easy to manage which open source was used in the software) to respond to vulnerabilities by showing how the software is structured.

My manager said about the reason for the lack of awareness of security vulnerabilities in Korea, "In Korea, license conflicts are considered more of a problem than problems caused by security vulnerabilities," and added, "The global trend is to view vulnerability issues as more serious, but in Korea, especially in embedded systems, awareness is still lacking." He also said, "However, compared to last year, the rate of inclusion in security risk assessments as well as licenses has increased across the industry."

Regarding the current state of the domestic market, my manager said, "In Korea, it is specialized mainly in the semiconductor and embedded fields, and the use of open source has increased recently." He also said, "In the domestic market, we mainly sell Blackduck and CoverRepi products for security open source detection, and we are conducting SI sales with partners such as LS Ware and IBM." He added that DAST is not yet ready for sales in the domestic market.

Finally, my manager said, "Ultimately, open source identification, tracking, and management are key elements of software security. If vulnerability and licensing management are inadequate, business risks will inevitably increase." He added, "From the corporate perspective, methods for management will need to be devised, and continuous version patching will be required, and the help of software fixation analysis tools will be needed." He added, "Synopsys provides key information to help developers and consumers understand the open source ecosystem and manage open source."