Synopsys recently released the ninth edition of the “Open Source Security and Risk Analysis” (OSSRA) report, shedding light on a significant increase in high-risk vulnerabilities affecting almost three-quarters of commercial codebases compared to the previous year. The 2024 OSSRA report, analysed by the Synopsys Cybersecurity Research Center (CyRC), is based on anonymised data from over 1,000 commercial codebase audits across 17 different industries. The report serves as a comprehensive guide for security, development, and legal teams, offering insights into trends in open source software adoption, prevalence of security vulnerabilities, and risks related to software licensing and code quality.
One of the key observations from the report is the noticeable surge in codebases hosting high-risk vulnerabilities in 2023, despite a consistent proportion of codebases featuring at least one open source vulnerability each year (84%). This increase could be attributed to factors like economic instability and layoffs in the tech sector, resulting in reduced resources for addressing vulnerabilities. The data shows a jump from 48% to 74% in the proportion of codebases with high-risk vulnerabilities between 2022 and 2023, defined as vulnerabilities actively exploited, documented with proof-of-concept exploits, or classified as remote code execution vulnerabilities.
Jason Schmitt, the general manager of Synopsys Software Integrity Group, expressed concern over the rise in high-risk open source vulnerabilities, highlighting the risks faced by critical industries susceptible to exploitation by cybercriminals. He emphasised the importance of maintaining proper software hygiene to enhance the security of the software supply chain, especially in a fast-paced environment where software teams are under pressure to deliver more with fewer resources.
The 2024 OSSRA report also uncovered several other significant findings. One of these findings highlighted the prevalence of outdated or inactive open source components in organisations, referred to as the “zombie code” apocalypse. The report revealed that 91% of codebases contained components that were 10 or more versions out-of-date, with nearly half (49%) of codebases hosting components with no development activity in the past two years. Additionally, the mean age of open source vulnerabilities in codebases exceeded 2.5 years, with a quarter of codebases containing vulnerabilities more than a decade old.
Furthermore, the report underscored the wide-reaching impact of high-risk open source vulnerabilities across critical industries. The Computer Hardware and Semiconductors sector had the highest percentage of codebases with high-risk vulnerabilities (88%), followed by Manufacturing, Industrials, and Robotics at 87%. While the Big Data, AI, BI, and Machine Learning industry reported 66% of codebases affected by high-risk vulnerabilities, industries like Aerospace, Aviation, Automotive, Transportation, and Logistics still recorded high-risk vulnerabilities in a third (33%) of their codebases.
The OSSRA report also addressed challenges related to open source licensing compliance, highlighting that over half (53%) of the codebases analysed contained license conflicts. Furthermore, 31% of codebases were found to be using code with either indiscernible licenses or customised licenses, posing potential risks for organisations. Notably, the Computer Hardware and Semiconductors industry ranked highest in the percentage of codebases with license conflicts (92%), followed by Manufacturing, Industrials, and Robotics at 81%.
Moreover, the report identified a common weakness type prevalent in the top 10 vulnerabilities, with eight of them traced back to Improper Neutralisation weaknesses (CWE-707). These vulnerabilities, including various forms of cross-site scripting, can have severe implications if exploited by malicious actors.
For those interested in delving deeper into the 2024 OSSRA findings, Synopsys has made the report available for download on their website, along with a blog post detailing key takeaways. Additionally, a webinar scheduled for March 28th offers an opportunity to learn more about the implications of the report and strategies for enhancing open source security.
In conclusion, the 2024 OSSRA report serves as a wake-up call for organisations to address the escalating risks posed by high-risk open source vulnerabilities in commercial codebases. By prioritising software hygiene, maintaining updated components, ensuring licensing compliance, and addressing common weakness types, businesses can strengthen their software supply chain security and mitigate potential threats posed by cybercriminals.