Three-quarters (74%) of commercial codebases contain open source components featuring “high-risk” vulnerabilities, according to a new study from Synopsys.
The chip design tool company’s ninth annual Open Source Security and Risk Analysis (OSSRA) report analyzed anonymized findings from over 1000 commercial codebase audits in 17 industries.
It found that the share featuring high-risk open source bugs – that is, ones that have been actively exploited, have documented proof-of-concept exploits or are classified as remote code execution – increased from 48% in 2022.
The computer hardware and semiconductor industry had the highest share of codebases with high-risk open source vulnerabilities (88%), followed by “manufacturing, industrials and robotics” (87%) and “big data, AI, BI and machine learning” (66%), according to the report.
Read more on open source threats: Open Source Flaws Found in 84% of Codebases
The findings come in spite of the fact that the share of open source vulnerabilities in commercial code has remained virtually unchanged over the period at 84%. The surge in high-risk bugs could be down to tech industry lay-offs and/or recent macroeconomic uncertainty, which may have limited vendor resources available for patching, Synopsys hypothesized.
The report revealed that most (80%) of the open source vulnerabilities recorded most frequently are classified as improper neutralisation weaknesses (CWE-707) – a vulnerability type which includes various forms of cross-site scripting.
The research also pointed to a large volume of “zombie code” in many organizations. Some 91% of codebases contained components that were 10 or more versions out of date, while the mean age of open source vulnerabilities discovered was over 2.5 years old. Nearly a quarter of codebases contained vulnerabilities more than 10 years old.
The findings matter as a growing number of organizations are being compromised via such vulnerabilities.
One May 2023 study found that over three-fifths (61%) of US businesses had been directly impacted by a software supply chain threat over the previous year.
In September 2023, the US Cybersecurity and Infrastructure Security Agency (CISA) released a long-awaited plan to enhance security within the open source ecosystem.
“The increasing pressure on software teams to move faster and do more with less in 2023 has likely contributed to this sharp rise in open source vulnerabilities,” argued Jason Schmitt, general manager of the Synopsys Software Integrity Group.
“Malicious actors have taken note of this attack vector, so maintaining proper software hygiene by identifying, tracking and managing open source effectively is a key element to strengthening the security of the software supply chain.”