The computer hardware and semiconductor industry contains the most open source vulnerabilities classified as high risk, followed by manufacturing, industrial and robotics
SUNNYVALE, California, February 27, 2024 /PRNewswire/ — Synopsys, Inc. (Nasdaq: SNPS) today released the ninth edition of its annual Open Source Security and Risk Analysis (OSSRA) report. The research highlights that nearly three-quarters of the commercial codebases for which the risk was assessed contain open source components affected by high-risk vulnerabilities, which represents a sharp increase compared to the previous year.
In the 2024 OSSRA report, the Synopsys Cybersecurity Research Center (CyRC) analyzes anonymized findings from more than 1,000 audits of commercial codebases across 17 industries. The report provides security, development and legal teams with a comprehensive view of the open source landscape, including trends in the adoption and use of open source software as well as the prevalence of security vulnerabilities, and software licensing and code quality risks.
While codebases containing at least one open source vulnerability remained consistent year-over-year at 84%, significantly more codebases contained high-risk vulnerabilities in 2023. This can potentially be attributed to variables such as economic instability and consequent layoffs of technology workers, reducing the number of available resources for patching vulnerabilities. According to the data, the percentage of codebases with high-risk open source vulnerabilities — those that are actively exploited, have documented proof-of-concept exploits, or are classified as remote code execution vulnerabilities — rose from 48% in 2022 to 74% in 2023.
“This year’s OSSRA report indicates an alarming increase in high-risk open source vulnerabilities across a variety of critical industries, leaving them at risk of exploitation by cybercriminals,” he said. Jason Schmitt, general manager, Synopsys Software Integrity Group. “Increasing pressure on software teams to move faster and do more with less in 2023 likely contributed to this sharp rise in open source vulnerabilities. Malicious actors have noticed this attack vector, so maintaining proper software hygiene by identifying, monitoring and managing open source code is effectively a key element in strengthening the security of the software supply chain.”
Additional key findings from the 2024 OSSRA report include
- The zombie code apocalypse: Organizations depend on outdated or inactive open source components. Ninety-one percent of the codebases contained components that were 10 or more versions out of date, and almost half (49%) of the codebases contained components that had no development activity in the past two years. The report also found that the average age of open source vulnerabilities in codebases was more than 2.5 years old, and nearly a quarter of codebases contained vulnerabilities older than 10 years.
- High-risk open source vulnerabilities permeate critical industries: The computer hardware and semiconductor industry had the highest percentage of codebases with high-risk open source vulnerabilities (88%), followed closely by manufacturing, industrial and robotics at 87%. Closer to the middle of the pack, the Big Data, AI, BI and machine learning industry had 66% of its codebases affected by high-risk vulnerabilities. At the bottom of the list, the aerospace, aviation, automotive, transportation and logistics industries still have high-risk vulnerabilities in a third (33%) of their codebases.
- Open source license challenges remain: License compliance is an important aspect of effective software supply chain management, but the report found that more than half (53%) of codebases contained open source license conflicts, and 31% of codebases used code with no visible license or with a custom license. Once again, the computer hardware and semiconductor industry ranked highest in the percentage of codebases containing license conflicts at 92%, followed by manufacturing, industrial and robotics at 81%. Just one non-compliant software license can result in the loss of lucrative intellectual property, lengthy remediation and delays in bringing products to market.
- Eight of the top 10 vulnerabilities stem from one common type of weakness: Most of the open source vulnerabilities most frequently observed in this research are classified as Improper Neutralization vulnerabilities (CWE-707). This type of vulnerability involves various forms of cross-site scripting that, if exploited, can be quite serious.
To learn more about OSSRA’s 2024 findings, download a copy of the report, read the blog post or register to March 28 webinar.
About Synopsys Software Integrity Group
Synopsis Software Integrity Group provides integrated solutions that transform the way development teams build and deliver software, accelerating innovation while addressing business risks. Our industry-leading portfolio of software security products and services is the most comprehensive in the world and interoperates with third-party and open source tools, allowing organizations to leverage existing investments to build the security program that works best for them. Only Synopsis offers everything you need to build trust in your software. Learn more at www.synopsys.com/software.
About Synopsys
Catalyzing an era of pervasive intelligence, SynopsisInch. (Nasdaq: SNPS) delivers reliable and comprehensive silicon design solutions for systems from electronic design automation to silicon IP and system verification and validation. We work closely with semiconductor and systems customers across a wide range of industries to maximize their R&D capability and productivity, driving today’s innovation that fuels tomorrow’s ingenuity. Learn more at www.synopsys.com.
Editorial contact:
Liz Samet
Synopsys, Inc.
336-414-6753
[email protected]
SOURCE Synopsys, Inc.