What To Know
- The research shows that the number of codebases with high-risk open source vulnerabilities—actively exploited, proof-of-concept exploits, or remote code execution vulnerabilities—rose from 48% in 2022 to 74% in 2023.
- License compliance is crucial to software supply chain management, however the survey revealed that 53% of codebases had open source license conflicts and 31% had code with no license or a customized license.
Leading software integrity business Synopsys released its latest annual “Open Source Security and Risk Analysis (OSSRA)” report recently with some findings on commercial codebase adoption and high-risk vulnerabilities. Read more below.
SINGAPORE – Synopsys, Inc. (Nasdaq: SNPS) released the ninth annual “Open Source Security and Risk Analysis (OSSRA) report” recently. The data shows that nearly three-quarters of commercial codebases exposed to high-risk vulnerabilities have open source components, up from last year.
The Synopsys Cybersecurity Research Center (CyRC) analyzes anonymized results from over 1,000 commercial codebase audits across 17 industries for the 2024 OSSRA report. The research gives security, development, and legal teams a complete picture of the open source world, including adoption and use trends, security vulnerabilities, software licensing, and code quality threats.
The percentage of codebases with at least one open source vulnerability remained at 84% in 2023, although high-risk vulnerabilities increased. Economic turmoil and tech worker layoffs may have reduced resources to patch vulnerabilities. The research shows that the number of codebases with high-risk open source vulnerabilities—actively exploited, proof-of-concept exploits, or remote code execution vulnerabilities—rose from 48% in 2022 to 74% in 2023.
“This year’s OSSRA report shows an alarming rise in high-risk open source vulnerabilities across a variety of critical industries, leaving them vulnerable to cybercriminals,” said Synopsys Software Integrity Group general manager Jason Schmitt. In 2023, software teams were under pressure to develop quicker and do more with less, which may have contributed to this dramatic surge in open source vulnerabilities. This attack vector has been noticed by malicious actors, therefore adequate software hygiene by identifying, tracking, and managing open source is crucial to software supply chain security.
Other key 2024 OSSRA discoveries include:
- The “zombie code” apocalypse: Companies use obsolete or inactive open source components. Ninety-one percent of codebases had components 10 or more versions out of date, and 49% had components with no development activity in the preceding two years. The survey also discovered that the mean age of open source vulnerabilities in codebases was over 2.5 years, and nearly 25% had vulnerabilities over 10 years old.
- Critical industries have high-risk open source vulnerabilities: High-risk open source vulnerabilities were most prevalent in Computer Hardware and Semiconductors (88%), followed by Manufacturing, Industrials, and Robotics (87%). High-risk vulnerabilities affected 66% of Big Data, AI, BI, and Machine Learning codebases, placing it in the middle. At the bottom, 33% of Aerospace, Aviation, Automotive, Transportation, and Logistics codebases contained high-risk vulnerabilities.
- Open source license issues persist: License compliance is crucial to software supply chain management, however the survey revealed that 53% of codebases had open source license conflicts and 31% had code with no license or a customized license. Again, 92% of codebases in Computer Hardware and Semiconductors had license issues, followed by 81% in Manufacturing, Industrials, and Robotics. One software licence violation can cost profitable intellectual property, time-consuming remedy, and product delays.
- One weakness type causes eight of the top 10 vulnerabilities: Improper Neutralisation vulnerability (CWE-707) accounted for most open source vulnerabilities in this investigation. Some forms of cross-site scripting can be very damaging if abused.
###
