At least one open source vulnerability found in 84% of code bases: report

At a time when nearly all software contains open source code, 84% of all commercial and proprietary code bases examined by researchers at application security firm Synopsys contain at least one known open source vulnerability. Detected.

Additionally, 48% of all code bases analyzed by Synopsys researchers have either been actively exploited, have documented proof-of-concept exploits, or are categorized as remote code execution vulnerabilities. It contained high-risk vulnerabilities.

Vulnerability data was included in 2023 for Synopsys, along with information on open source license compliance. Open source security and risk analysis (OSSRA) The report was compiled by the company’s Cyber ​​Security Research Center (CyRC).

Based on an analysis of code base audits related to merger and acquisition transactions, the report highlights trends in open source usage across 17 industries. (Synopsys’ Audit Services division audits code to identify software risks for companies involved in merger and acquisition transactions.)

The audit examined 1,481 codebases for vulnerabilities and open source license compliance, and analyzed the other 222 codebases for compliance only.

Open source vulnerabilities on the rise

The OSSRA report is based on code audits conducted in 2022, showing a 4% increase in the number of known open source vulnerabilities from 2021.

“Open source was in almost everything we surveyed this year. He added that it contains a large number of known vulnerabilities that cannot be done and remain vulnerable to exploitation.

All code bases surveyed from companies in the aerospace, aviation, automotive, transportation and logistics sectors contained some open source code, with open source code comprising 73% of the total code . 63% of all code in this sector (open source and proprietary) contained vulnerabilities classified as high risk. CVSS Severity score of 7 or higher.

In the energy and clean tech sector, 78% of all code was open source and 69% contained high-risk vulnerabilities.

Although the codebases of companies in these sectors accounted for a higher percentage of overall vulnerabilities than other sectors, the report noted that “similar findings, albeit to a lesser extent, rolled out across all industries. “apparently.

Open Source Adoption Soars

According to the OSSRA report, the percentage of open source code has increased in the code bases of all industries over the past five years.

For example, between 2018 and 2022, the percentage of open source code in scanned code bases increased by 163% for technologies in the education sector. 97% in aerospace, aviation, automotive, transportation and logistics. Manufacturing and robotics accounted for 74%.

“We attribute the explosive open source growth of EdTech to the pandemic. Education has been driven online, with software serving as a key foundation,” says the report. .

Increase in high-risk vulnerabilities

Meanwhile, high-risk vulnerabilities are on the rise across all sectors. For example, companies in aerospace, aviation, automotive, transportation, and logistics saw a 232% increase in high-risk vulnerabilities over five years.

“Much of the software and firmware used in these industries operates within closed systems, which can reduce the potential for exploitation and make the need for patching less urgent.” Synopsys said.

IoT-related code-based high-risk vulnerabilities have surged 130% since 2018.

“This is of particular concern when considering the usefulness of IoT devices. We connect many aspects of our lives to these devices and trust the inherent safety of doing so. We do,” said the researcher.

No patch available

Of the 1,481 codebases surveyed by researchers with risk assessments, 91% contained outdated versions of open source components.

A possible reason for this is Developer The team may decide that the risk of unintended consequences outweighs the benefits of applying the new version. Researchers say time and resources could also be a reason.

“With many teams already reaching their limits for building and testing new code, updating existing software may be a low priority for all but the most critical issues,” the report said. .

Additionally, the devsecops team may not know when new versions of open source components will be available.

SBOM helps maintain code quality and compliance

To avoid exploitation of vulnerabilities and keep open source code up to date, organizations should: Software Bill of Materials (SBOM), the report suggests.

A comprehensive SBOM lists all open source components in your application along with their license, version, and patch status.

SBOM for open source components enables organizations to quickly identify at-risk components and appropriately prioritize remediation.