LIVE SHOW NEWS: Black Duck publishes 2018 Open Source Security and Risk Analysis Report

Black Duck Software (Stand AV7008) is at Autonomous Vehicle Technology World Expo to promote its Open Source Security and Risk Analysis (OSSRA) report, which provides an in-depth look at the state of open source security, license compliance, and code-quality risk in commercial software. The report takes a look at the audits the company has performed in the prior year and at broader trends.

Speaking on the first day of the show, Tim Mackey, senior technical evangelist, said, “One trend we are seeing is that US courts are starting to uphold that open source licenses are in fact illegal contracts of value. The case was brought when license fees were due and no source was provided. This set a precedent that contract law is appropriate to open source licenses and that breach of contract has a defined monetary value.

“We also saw that despite there being high-profile open source vulnerabilities – Equifax’s issues stemmed from a failure to appropriately patch open source vulnerability – the incidence of patches did not improve as we expected, it actually stayed pretty consistent,” Mackey continued. “The average amount of time for patches is well into the many years – at least five to seven. When it concerns a phone app or an IoT device, that is not too bad with regard to their lifecycles. However, for an autonomous vehicle, which will be on the road for a decade, someone who has figured out how to exploit weaknesses will probably come along at some point. The issue is not so much whether software is secure today, it’s whether it will remain so over the expected lifespan of a piece of software.”

Zurück zu den Nachrichten