Published August 2021

Sponsored by GrammaTech

Executive Summary

Commercial off-the-shelf software often includes open-source software components, but vendors frequently do not disclose details of the presence of such components. Many open-source components contain a range of known vulnerabilities that can be used as egress points for cyberattack. This lack of awareness of open-source components used by organizations in commercial off-the-shelf software increases the security risk, attack surface, and potential for compromise by cybercriminals.

In this white paper, we present the findings of an investigation into the use of open-source components in commercial off-the-shelf software—many of which have a list of known vulnerabilities—across five common software categories. The base data was generated by GrammaTech using its CodeSentry software supply chain security product. CodeSentry uses multiple methods of identifying open-source components used in commercial off-the-shelf software that is delivered in binary form. CodeSentry does not need access to the vendor’s source code to complete its analysis of included open-source components.