AppSec Decoded: Managing your open source risks

If software is eating the world, as was said more than a decade ago, open source software is doing most of the eating. It is in virtually every codebase now in use and makes up the large majority—an average of 76%—of the components in those codebases.

That means it is most of the links in the massive and complicated software supply chains that enable innovation and bring dazzling features to both the online and physical worlds. But it also brings unique and dangerous risks.

And that’s why the Black Duck Cybersecurity Research Center has, for the eighth year running, produced the “Open Source Security and Risk Analysis” (OSSRA) report based on an analysis of the open source vulnerabilities and license conflicts found in more than 1,700 commercial codebases across 17 industries. The report offers recommendations on how to mitigate those risks and is available to the public for free.

Mike McGuire, senior software solutions manager with Black Duck, played a major role in the research and analysis that supports the latest OSSRA report. In this, the second of two AppSec Decoded conversations focused on the report, McGuire and Taylor Armerding, security advocate at Black Duck, discuss two of the most important ways to manage open source risks: an automated software composition analysis (SCA) tool, and the creation and maintenance of a software Bill of Materials (SBOM).