When the first Open Source Security and Risk Analysis (OSSRA) report was launched in 2015, the software landscape was undergoing significant transformation. This shift was catalyzed by the infamous Heartbleed vulnerability in OpenSSL, which captured widespread attention in 2014, leading security teams to confront the reality of open source vulnerabilities.
At this time, developers were eager to capitalize on open source tools to drive innovation, often lacking established protocols or oversight. Meanwhile, organizations struggled to adapt to the rapidly changing software development environment.
Now, a decade later, the OSSRA report has solidified its role as an essential guide for navigating the complexities of open source use, identifying risks, and understanding industry trends. The 2025 edition commemorates its tenth anniversary by thoroughly examining thousands of codebases across different sectors and highlighting trends that point to both progress and lingering challenges.
The Rise of Open Source: From Niche to Mainstream
One of the most striking changes over the last ten years has been the rise of open source as a fundamental aspect of modern software development. In 2015, open source components made up approximately 35% of the average application under audit. Today, that figure has soared to 70%. Although this percentage has stabilized somewhat, the actual number of open source components within applications has surged due to increasing complexity.
A decade ago, an average application featured around 100 open source components; now, that number has ballooned to an astonishing 981—an increase of ten times. This trend can be largely attributed to the advent of package managers such as NPM and PyPI, which have simplified the integration of third-party code and transformed software creation processes.
Today, applications often incorporate hundreds of dependencies—both direct and indirect (where one open source component depends on another)—each posing its own set of vulnerabilities, outdated versions, and licensing complications. This rising complexity has made the effective management of open source a critical issue for both development teams and security professionals.
License Compliance: Progress but Persistent Challenges
Previous OSSRA reports highlighted an alarming prevalence of license compliance issues stemming from weak organizational frameworks for managing open source legal obligations. In 2015, about 75% of audited codebases exhibited license conflicts, indicating that many organizations were operating in violation of open source licensing terms.
Today, that figure has improved to 56%, demonstrating a growing corporate awareness, the establishment of better policies, and the deployment of effective oversight tools. The transition to cloud and SaaS models has also played a pivotal role in alleviating some distribution-related licensing responsibilities. While SaaS applications still encounter licensing conflicts, the associated risks have seen a noticeable reduction. Nevertheless, compliance remains a significant challenge, especially for organizations lacking robust governance systems.
A concerning statistic from the 2025 report indicates that 30% of applications still include code that either lacks a clear license or explicit permission for use. Legal experts warn that using software invariably requires rights granted by licenses, often advising against utilizing unlicensed code.
The improper use of third-party code can subject organizations to considerable legal risks, particularly during mergers and acquisitions, when potential buyers scrutinize the target company’s code for compliance with their policies and standards.
Vulnerabilities: The Volume is Outstripping Management
While license compliance issues are troubling, security remains a primary concern. Data from OSSRA illustrates that open source significantly impacts the risk environment. In 2015, 67% of applications contained at least one known open source vulnerability. That alarming figure has now climbed to 86%. Even more concerning is the average number of vulnerabilities per application, which has escalated from 22 to 154. This increase can be partly attributed to the growing size of codebases, yet the report emphasizes ongoing struggles among organizations to manage identified risks effectively.
A central challenge for companies using open source components is staying updated with the latest versions for necessary patches. The 2025 OSSRA report shows that 90% of codebases contain components that are outdated by more than four years. This age gap poses a significant risk, as many known vulnerabilities have available patches. A notable example is the Equifax data breach, which occurred due to a failure to apply a crucial security patch to Apache Struts, compromising the personal data of over 100 million individuals.
While some improvements have been made, the average time for reported vulnerabilities has decreased from five years to 2.8 years, indicating faster response times and greater awareness. However, this still represents a considerable lifespan for application security vulnerabilities, and with the complexity of modern software, overall exposure continues to grow.
Harnessing Data for Informed Decisions
The true value of the OSSRA lies in its ability to reveal patterns and trends. Before its introduction, discussions on open source usage were largely based on speculation and anecdotes. The report has shifted the conversation from “What risks might arise from utilizing open source?” to a more urgent “How can we manage these risks effectively?”
This urgency is amplified by increased scrutiny on software supply chains and tighter regulatory demands. Open source has transitioned from being a niche component to the foundational element of modern software applications. While advancements in tools and awareness have been made, many organizations find themselves striving to keep pace with monitoring, patching, and ensuring compliance.
Future Outlook: AI, Automation, and Growing Complexity
As software ecosystems and development methodologies continue to evolve, the forthcoming OSSRA reports will likely unveil a new set of challenges. The increasing use of package managers is enabling development teams to build increasingly complex systems. Furthermore, the growing application of generative AI in software development raises concerns about the incorporation of open source code. Developers frequently utilize code suggestions from AI tools, many of which have been trained on public and often open source repositories—raising pivotal copyright and licensing questions.
At the same time, large language models based on open source principles are being integrated into applications, presenting new challenges regarding attribution, governance, and security.
Conversely, AI-driven tools could offer some alleviation, allowing developers and security teams to enhance development processes and swiftly identify and resolve vulnerabilities.
The central theme here is complexity. Whether dealing with AI-generated code, containerized environments, or intricate dependency networks, managing open source effectively demands focused attention. For software diligence during mergers and acquisitions, a comprehensive audit by a reputable third party is invaluable. To manage open source risks in their own projects, organizations must maintain ongoing diligence, transparency, and an understanding that while open source software is free to utilize, it carries corresponding responsibilities.
The past decade of OSSRA insights provides a vivid portrait: open source is now crucial yet fraught with risks. Legal and security vulnerabilities persist, necessitating their integration into contemporary software development strategies. As the ecosystem expands and becomes more intricate, OSSRA and similar reports will be increasingly vital for organizations aiming to benchmark their practices and strengthen their defenses.
We have curated a list of the top online courses in cybersecurity.
