At a time when almost all software contains open source code, at least one known open source vulnerability was found in 84% of all proprietary and commercial codebases examined by researchers at application security company Synopsys.
In addition, 48% of all codebases analyzed by Synopsys researchers contained high-risk vulnerabilities, which are those that have been actively exploited, already have documented proof-of-concept exploits, or are classified as remote code execution vulnerabilities. .
The vulnerability data, along with information on open source license compliance, was included in Synopsys’ 2023 Open Source Security and Risk Analysis (OSSRA) report, produced by the Center for Cyber Security Research. (CyRC) of the company.
The report is based on analysis of code base audits involved in M&A transactions and highlights trends in the use of open source across 17 industries. (Synopsys’ audit services unit audits code to identify software risks for companies involved in M&A deals.)
The audits examined 1,481 code bases for vulnerabilities and open source license compliance, and another 222 code bases were analyzed for compliance only.
Open source vulnerabilities on the rise
The OSSRA report is based on code audits conducted in 2022, where the number of known open source vulnerabilities increased by 4% from 2021.
“Open source was in almost everything we examined this year; made up the majority of code bases across all industries,” the report said, adding that the code bases contained a worryingly high number of known vulnerabilities that organizations had failed to patch, leaving them vulnerable to exploits.
All code bases examined from companies in the aerospace, aviation, automotive, transportation, and logistics industries contained some open source code, with open source code accounting for 73% of the total code. Sixty-three percent of all code in this industry (open source and proprietary) contained vulnerabilities classified as high risk, those with a CVSS severity score of 7 or higher.
In the energy and cleantech sector, 78% of the total code was open source and 69% contained high-risk vulnerabilities.
Although company code bases in these industries had higher percentages of total vulnerabilities than other industries, “similar findings, to a lesser degree, occurred across all industries,” according to the report.
Open Source Adoption Leaps
The percentage of open source code has increased in code bases across all industry verticals over the past five years, according to the OSSRA report.
Between 2018 and 2022, for example, the percentage of open source code within scanned codebases grew by 163% in technology for the education sector; 97% in aerospace, aviation, automotive, transportation and logistics; and 74% in manufacturing and robotics.
“We attribute the explosive growth of open source EdTech to the pandemic; with online-driven education and software serving as its critical foundation,” the report says.
High-risk vulnerabilities on the rise
Meanwhile, there has been a rise in high-risk vulnerabilities across all sectors. For example, aerospace, aviation, automotive, transportation, and logistics companies saw a 232% increase in high-risk vulnerabilities over the 5-year period.
“Much of the software and firmware used in these industries operate within closed systems, which can reduce the likelihood of an exploit and can lead to a lack of urgency in the need to patch it,” Synopsys said.
High-risk vulnerabilities in IoT-related code bases have increased 130% since 2018.
“This is particularly worrying when we think about the usefulness of IoT devices; we connect many aspects of our lives to these devices and rely on the inherent security of doing so,” the researchers noted.
Available patches not applied
Of the 1,481 code bases examined by the researchers that included risk assessments, 91% contained out-of-date versions of open source components, meaning that an update or patch was available but not applied.
The reason for this could be that development teams may determine that the risk of unintended consequences outweighs any benefit from applying the newer version. The researchers say that time and resources could also be a reason.
“With many teams already on the brink of creating and testing new code, updates to existing software can become a lower priority for all but the most critical issues,” the report says.
Also, devsecops teams may not know when a newer version of an open source component is available, if at all, according to the report.
SBOMs help maintain code quality, compliance
To prevent exploiting vulnerabilities and keep open source code up to date, organizations should use a software bill of materials (SBOM), the report suggests.
A complete SBOM lists all open source components in the applications, as well as the licenses, versions, and patch status.
An open source component SBOM allows organizations to quickly identify components at risk and prioritize remediation accordingly, the report concludes.
Copyright © 2023 IDG Communications, Inc.
Be First to Comment