Open Source Security Report

Open Source Security Report


Q3 2015

The Open Source Security Report provides open source security trends, statistics, best practices, and resources for chief information security officers (CISOs), IT security staff, and software developers.


Open source software reaches near 100% adoption by mainstream IT organizations, increases demand for security solutions

Sponsored by Black Duck Software, who helps the world’s most innovative companies streamline, safeguard, and manage their use of open source software.

  • According to Gartner, 95 percent of all mainstream IT organizations will leverage some element of open source software (OSS) – directly or indirectly – within their mission-critical IT systems in 2015.
  • Gartner says that through 2020, security and quality defects publicly attributed to OSS projects will increase significantly, driven by a growing presence within high-profile, mission-critical and mainstream IT workloads.
  • The “2015 Future of Open Source Survey” sponsored by Black Duck Software and venture capital firm North Bridge reveals 78 percent of companies run on open source, yet many lack formal policies to manage legal and security risks.

How Small Businesses Can Fend Off Hackers – Black Duck CEO Lou Shipley shares cyber security tips in this WSJ article

  • Intruders are increasingly targeting the application stack for exploitation, according to the “Cisco 2015 Annual Security Report”. Cisco says the rise of cloud apps and the ubiquity of do-it-yourself (DIY) open-source content management systems (CMS) has created a landscape of vulnerable websites and SaaS offerings. Underlying systems/networking layers managed by IT operations may withstand malicious attacks, but application-level components built by developers are often riddled with vulnerabilities.
  • “Attackers have become more proficient at taking advantage of security gaps” says Jason Brvenik, Principal Engineer, Security Business Group, at Cisco. “We observed that 56 percent of all OpenSSL versions still remain vulnerable to Heartbleed”. According to Dark Reading, three out of four global 2000 companies are still vulnerable to Heartbleed one year after its discovery.
  • The Core Infrastructure Initiative (CII), a project managed by The Linux Foundation that enables technology companies, industry stakeholders and esteemed developers to collaboratively identify and fund critical open source projects in need of assistance, recently announced financial support of nearly $500,000 for three new projects to better support critical security elements of today’s global information infrastructure.
  • The New Stack recently reported that the Linux Foundation and job board DICE polled 1,010 hiring managers and 3,446 Linux professionals to report on the state of the Linux job market. Their recent annual survey states security vulnerabilities such as the 2014 Heartbleed bug have fueled a need for Linux-savvy security pros.
  • Bill Ledingham, CTO at Black Duck Software, says 40 percent of the 8,000 vulnerabilities disclosed last year were in open source projects. The software upon which (it turns out) a whole of organizations depend on is, all too often, insecure. It contains vulnerabilities that may lie dormant for years (and years and years) but upon discovery can have devastating effects due to its expansive use.
  • Manufacturing & Logistics IT Magazine recently reported that Stuart J. Mackintosh, who previously supported the UK Cabinet Office on its Open Source and standards strategy, has launched a global crowdfunding campaign to perform a full network security penetration testing of the Odoo ERP open source solution. Such a test would be the first time Odoo, one of the most widely used ERP applications in the world, has been subject to formal stringent security testing and Mackintosh said that this project will not just have ramifications on the open source market, but on the wider software world as well. He hopes to raise up to £25,000 (approx. $39,000 USD) and has pledged to use all monies raised on investigating the security of Odoo to aid future development of the software.

Join the Cybersecurity Ventures Newsletter to stay on the cutting edge.



Steven C. Morgan, Editor-In-Chief

Steve Morgan

    is Founder and CEO at Cybersecurity Ventures, and Editor-In-Chief of the Cybersecurity Market Report and the Cybersecurity 500 list of the world’s hottest and most innovative cybersecurity companies. Steve writes the weekly Cybersecurity Business Report for IDG’s CSO, and he is a contributing writer for several business, technology, and cybersecurity media properties.

© 2015 Cybersecurity Ventures. All rights reserved. Federal copyright law prohibits unauthorized reproduction of this Report by any means and imposes fines up to $150,000 for violations. Reproduction in whole or in part in any form or medium without expressed written permission of Cybersecurity Ventures is prohibited.