Synopsys has unveiled the ninth edition of its annual “Open Source Security and Risk Analysis” (OSSRA) report, indicating a significant surge in high-risk vulnerabilities affecting nearly three-quarters of commercial codebases compared to the previous year.
In this 2024 OSSRA report, the Synopsys Cybersecurity Research Center (CyRC) scrutinises anonymised data from over 1,000 commercial codebase audits spanning 17 industries. The report furnishes security, development, and legal teams with a comprehensive overview of the open source landscape, delving into trends in open source software adoption, prevalence of security vulnerabilities, and risks associated with software licensing and code quality.
Despite a consistent proportion of codebases featuring at least one open source vulnerability (84% year over year), there’s a notable increase in codebases hosting high-risk vulnerabilities in 2023. This uptick could be linked to factors like economic instability and subsequent layoffs in the tech sector, leading to diminished resources for vulnerability patching. Data reveals a rise from 48% to 74% in the proportion of codebases with high-risk open source vulnerabilities—defined as those actively exploited, documented with proof-of-concept exploits, or classified as remote code execution vulnerabilities—between 2022 and 2023.
“This year’s OSSRA report indicates an alarming rise in high-risk open source vulnerabilities across a variety of critical industries, leaving them at risk for exploitation by cybercriminals,” said Jason Schmitt, general manager, Synopsys Software Integrity Group. “The increasing pressure on software teams to move faster and do more with less in 2023 has likely contributed to this sharp rise in open source vulnerabilities. Malicious actors have taken note of this attack vector, so maintaining proper software hygiene by identifying, tracking and managing open source effectively is a key element to strengthening the security of the software supply chain.”
Additional key findings from the 2024 OSSRA report include:
- A “zombie code” apocalypse: Organisations are depending on outdated or inactive open source components. Ninety-one percent of codebases contained components that were 10 or more versions out-of-date, and nearly half (49%) of codebases contained components that had no development activity within the past two years. The report also found that the mean age of open source vulnerabilities in the codebases was over 2.5 years old, and nearly a quarter of codebases contained vulnerabilities more than 10 years old.
- High-risk open source vulnerabilities permeate across critical industries: The Computer Hardware and Semiconductors industry had the highest percentage of codebases with high-risk open source vulnerabilities (88%), followed closely by Manufacturing, Industrials and Robotics at 87%. Closer to the middle of the pack, the Big Data, AI, BI and Machine Learning industry had 66% of its codebases impacted by high-risk vulnerabilities. At the bottom of the list, the Aerospace, Aviation, Automotive, Transportation and Logistics industry still had high-risk vulnerabilities in a third (33%) of its codebases.
- Open source license challenges remain: License compliance is an important aspect of effective software supply chain management, but the report found that over half (53%) of the codebases contained open source license conflicts, and 31% of codebases were using code with either no discernible license or a customised license. Once again, the Computer Hardware and Semiconductors industry ranked highest in percentage of codebases containing license conflicts at 92% followed by Manufacturing, Industrials and Robotics at 81%. Just one noncompliant license in software can result in loss of lucrative intellectual property, time-consuming remediation and delays in getting products to market.
- Eight of the top 10 vulnerabilities trace back to one common weakness type: The majority of the open source vulnerabilities that were observed most frequently in this research are classified as Improper Neutralisation weaknesses (CWE-707). This weakness type includes the various forms of cross-site scripting that, if exploited, can be quite severe.
To learn more about the 2024 OSSRA findings, download a copy of the report, read the blog post or register for the March 28th webinar.