Nearly all programmes contain at least a little amount of open source code, and 48% of code bases have serious security flaws.
At a time when practically all software is composed of open source code, 84% of all commercial and proprietary code bases had been found to contain at least one known open source vulnerability. Researchers from the application security company Synopsys looked into this.
Moreover, high-risk vulnerabilities—those that have been actively exploited, already have documented proof-of-concept exploits, or are categorised as remote code execution vulnerabilities—were present in 48% of all code bases examined by Synopsys researchers. The study from Synopsys’ Cybersecurity Research Center’s 2023 Open Source Security and Risk Analysis (OSSRA) contains the vulnerability data as well as details on open source licence compliance (CyRC).
The research examines trends in the use of open source across 17 industries based on an analysis of audits of code bases involved in merger and acquisition transactions. (The Audit Services division of Synopsys examines code to find software risks for businesses engaged in merger and acquisition negotiations). 1,481 code bases were assessed for vulnerabilities and open source licence compliance during the audits, while 222 additional code bases were merely examined for compliance.
Based on code audits conducted in 2022, the OSSRA study estimates that there were 4% more known open source vulnerabilities than there were in 2021. Every code base we looked at came from a company in one of the following industries: aerospace, aviation, automotive, transportation, or logistics. Open source code made up 73 percent of all the code we looked at.
63% of all the code in this industry (including open source and proprietary) contains high risk vulnerabilities, defined as those having a CVSS severity score of 7 or higher. 78% of the entire code in the energy and clean tech sector was open source, and 69% of it contained high-risk vulnerabilities.
Over the past five years, all industry verticals’ code bases have seen an increase in the proportion of open source code, according to the OSSRA research. In the technology for education sector, for instance, the proportion of open source code within scanned code bases increased by 163% between 2018 and 2022; in the aerospace, aviation, automotive, transportation, and logistics sectors, it increased by 97%; and in the manufacturing and robotics sectors, it increased by 74%.
In the meantime, all industries have seen an increase in high-risk vulnerabilities. For instance, over a five-year period, organisations in the aerospace, aviation, automotive, transportation, and logistics sectors saw a 223% increase in high-risk vulnerabilities.
Over the past five years, all industry verticals’ code bases have seen an increase in the proportion of open source code, according to the OSSRA research. 91% of the 1,481 codebases the researchers looked at with risk assessments featured outdated open-source components, indicating that an update or patch was available but had not been deployed.
DevSecOps teams may decide that the risk of unexpected consequences outweighs any benefits that would result from implementing the more recent version as the cause of this. Time and resources, according to researchers, may also play a role.
The research recommends that organisations utilise a software bill of materials (SBOM) to prevent vulnerability attacks and maintain open source code. A thorough SBOM specifies all open source parts used in applications together with their licences, versions, and patch status. The paper finds that an SBOM of open source components enables organisations to swiftly identify at-risk components and properly prioritise remediation.