1998

5-10% Open Source Code

30-50% Open Source Code

2008

60-80% Open Source Code

2016

Application Layer

Network Layer

Spending

Risk

Security investment priorities do not

match threats2.2 Ponemon Institute State of Application Security Risk Management Report

40% of the known open source security vulnerabilities in each application were rated as “severe”3

companies were using 100% more open source than they believed prior

to the audit

Black Duck’s On-Demand security audits of commercial applications in 2016 highlight the challenges organizations face in effectively securing & managing their open source.

100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100

Companies surveyed were using twice as much open source as

they reported prior to the audit3

Custom Code

Open Source Code

The amount of open source code in applications has grown significantly

1

The average age of known security vulnerabilities found in the audits

was more than 5 years old3

of applications contained

Heartbleed more than 2 years after it was discovered3

67%of applications

contained known open

source security vulnerabilities3

10%

1 Black Duck Estimate

3 2016 Open Source Security Audit Report