Unlocking Insights from the 2025 Open Source Security and Risk Analysis Report: Key Vulnerabilities and Best Practices

Security Risks in Open Source Software: A Wake-Up Call for Developers

The latest annual Open Source Security and Risk Analysis (OSSRA) report from Black Duck highlights alarming vulnerabilities within commercial codebases, revealing that 86% are affected by open source software risks. Analyzing 1,658 codebases across 16 industries, the report found that a staggering 81% of these applications harbor high- or critical-risk vulnerabilities.

The surge in open source files was particularly concerning; the average application in 2024 contained more than 16,000 open source files—up from just 5,300 in 2020. This trend indicates a growing reliance on open source components without adequate scrutiny of their security implications. The most prevalent vulnerabilities were linked to outdated versions of jQuery, showing that 43% of applications scanned contained this widely-used JavaScript library, often in its most vulnerable forms.

Mike McGuire, Senior Manager at Black Duck, emphasized the critical need for improved open source dependency management, stating, “Blind spots are prevalent… as industries demand greater supply chain visibility.”

The risks extend beyond just vulnerabilities. According to the findings, 90% of audited codebases contained components that were over four years out of date, potentially widening the attack surface for malicious actors. With only 27% of dependencies included directly and a mere 77% sourced through package managers, many organizations are blind to the full scope of their security landscape.

Industry experts echo the urgency of these findings. Eric Schwake from Salt Security warned of the systemic risks posed by outdated software, while Jason Soroko of Sectigo urged teams to rethink their security strategies as traditional scanning methods miss a significant number of dependencies.

The report serves as a critical reminder for developers to meticulously evaluate their open source usage and prioritize patch management, ensuring both compliance and security in an era where the stakes have never been higher.