Open Source Security And Risk Analysis Report 2023

About the 2023 Open Source Security and Risk Analysis Report and the CyRC

In its 8th edition this year, the 2023 “Open Source Security and Risk Analysis” (OSSRA) report delivers our annual in-depth look at the current state of open source security, compliance, licensing, and code quality risks in commercial software. We share these findings with the goal of helping security, legal, risk, and development teams better understand the open source security and license risk landscape. The Synopsys Cybersecurity Research Center (CyRC) provides the data for this report. The CyRC’s mission is to provide and publish security advisories and research that help organisations better develop and consume high-quality software.

The annual OSSRA report represents CyRC findings from the previous year’s data. Thus, our 2023 report is indicative of 2022 data. In 2022, the CyRC studied anonymised findings from over 1,700 commercial codebases across 17 industries. Our Audit Services team audits thousands of codebases for our customers each year, with the primary aim of identifying a range of software risks during merger and acquisition (M&A) transactions. Despite 2022’s economic ambiguity and a corresponding slowdown in tech mergers and acquisitions, audit numbers remained promisingly strong.

The Synopsys Black Duck® software composition analysis (SCA) product team and the CyRC Audit Services team have helped security, development, and legal teams around the world strengthen their security and license compliance programs for almost 20 years. Black Duck SCA enables organisations to identify and track open source code and integrate automated open source policy enforcement across their existing development environments. Black Duck audits cover all aspects of software risk and are generally performed in the context of an M&A transaction. The audits also provide a comprehensive, highly accurate software Bill of Materials (SBOM) covering the open source, third-party code, web services, and application programming interfaces (APIs) in an organisation’s applications. The Audit Services team relies on data from the Black Duck KnowledgeBase™ to identify potential license compliance and security risks. This KnowledgeBase, sourced and curated by the CyRC, includes data on more than 6.1 million open source components from over 28,000 forges and repositories.

No matter what industry you operate in, or what role you play in relation to organisational security and risk, the OSSRA continues to highlight the ever-growing presence of the open source fuelling your business–as well as the pitfalls of failing to effectively manage it. We say it every year: Open source is the foundation for every application we rely on today. Identifying, tracking, and managing open source effectively is therefore critical to a successful software security program. This report offers key recommendations and insights to help developers and consumers of open source better understand the open source ecosystem and how to manage it responsibly.

BlackDuck Brochure | Application Security Solutions | Contact us
Sign up for our newsletter | Synopsys