Developing software is a bit like playing LEGO: You assemble thousands of Open Source (OSS) components into a new product. Once assembled, the origin of the individual building blocks is difficult to trace – with consequences for compliance and security.
Software development rarely starts from scratch. Development teams fall back on existing “legacy” code, work with third-party suppliers and rely on Open Source Software (OSS) components that are freely available on GitHub & Co. In today’s commercial applications, OSS makes up as much as 80-90% of the code.
All the more surprising, therefore, is the operational blindness of companies when it comes to the documentation of OSS code components. In the course of software audits, the analysts from Revenera evaluated more than 2.6 billion lines of code and discovered 230,000 critical cases. This means that a compliance violation or software vulnerability is found every 11,500 lines of code. 83% of the risks uncovered in the audits were unknown to the companies’ developer, security and compliance teams prior to the investigation.
Read the whole article here.