OSSRA Report by Synopsys outlines need for SBOM in software supply chain security

dark keyboard

Editor’s brief: The 2023 OSSRA report released by the Synopsys Cybersecurity Research Center (CyRC) provides an in-depth look at the open source security, compliance, licensing, and code quality risks in commercial software. The majority of codebases (84%) have at least one open source vulnerability, and organizations need to compile a Software Bill of Materials (SBOM) to reduce business risk. OSSRA and SBOM are two important ideas to consider when assessing high-risk vulnerabilities in the retail and eCommerce industries and the Internet of Things (IoT) industries. Read more below.

SINGAPORE – Open Source Security and Risk Analysis (OSSRA) report version 8 was released today by the Synopsys Cybersecurity Research Center (CyRC), part of Synopsys, Inc. (Nasdaq: SNPS). The 2023 OSSRA report highlights trends in open source usage across 17 industries and analyzes the results of more than 1,700 audits of commercial and proprietary codebases involved in merger and acquisition transactions.

The 2023 OSSRA report aims to aid security, legal, risk, and development teams in their comprehension of the open source security and license risk landscape by providing an in-depth look at the current state of open source security, compliance, licensing, and code quality risks in commercial software. The majority of codebases (84% this year) were found to have at least one open source vulnerability, up nearly 4% from last year’s findings.

A thorough inventory of all software a business uses, regardless of where it came from or how it was acquired, is the first step toward reducing business risk from open source, proprietary, and commercial code. Organizations can’t devise a plan to deal with risk brought on by new security disclosures like Log4Shell without first compiling a thorough inventory of all the software they use, known as a Software Bill of Materials (SBOM).

“The 2023 OSSRA report findings underscore the reality of open source as the underlying foundation of most types of software built today,” said Jason Schmitt, general manager of the Synopsys Software Integrity Group. “An increase in the average number of open source components rising 13% (from 528 to 595) in this year’s audits further reinforces the importance of implementing a comprehensive SBOM that lists all open source components in your applications as well as their licenses, versions, and patch status. This is a foundational strategy towards understanding and reducing business risk by defending against software supply chain attacks.”

Among the most important things we learned from the OSSRA in 2023 were:

1. Explosive expansion in open source adoption

Because of the global pandemic, open source software was adopted by the education technology industry at a rate of 163%. This resulted in more classes and teacher/student interactions taking place online. The manufacturing and robotics industries have seen growth of 74%, and the aerospace, aviation, automotive, transportation, and logistics industries have seen growth of 97%.

2. Worrying rise in high-risk vulnerabilities over the past 5 years

For example, high-risk vulnerabilities in the Retail and eCommerce industry have increased by 557% in the year since 2019. In contrast, the Internet of Things (IoT) industry saw a 130% increase in high-risk vulnerabilities during the same time period, despite 89% of the total code being open source. High-risk vulnerabilities also increased by 232% in the aerospace, aviation, automotive, transportation, and logistics industry.

3. OSS adoption raises risk of copyright breaches

According to the data analyzed, 31% of codebases make use of open source without a clear license or with custom licenses. The increase from the previous OSSRA report stands at 55%. Legal evaluation for possible intellectual property issues or other legal implications is often necessary due to the lack of a license associated with open source code or a variant of another open source license, which may impose undesirable requirements on the licensee.

4. Most codebases don’t use the available quality and security patches

Risk assessments found that 91% of the 1,480 codebases audited used out-of-date versions of open source components. A company’s inability to maintain an accurate and up-to-date SBOM increases the likelihood that an out-of-date component will go unnoticed until it is in a state where it is highly exploitable.

“The key to managing open source risk at the speed of modern development is maintaining complete visibility of application contents,” said Mike McGuire, senior software solutions manager within the Synopsys Software Integrity Group. “By building this visibility into the application lifecycle, businesses can arm themselves with the information needed to make informed, timely decisions regarding risk resolution. Organisations leveraging any type of third-party software should rightfully assume that it contains open source. Verifying this, and staying on top of the associated risk, is as simple as obtaining an SBOM – something easily provided by a vendor taking the necessary steps to secure their software supply chain.”