High-Risk Open Source Vulnerabilities Surging Since Last Year
March 18, 2024

Nearly three-quarters of commercial codebases assessed for risk contain open source components impacted by high-risk vulnerabilities, representing a sharp uptick from the previous year, according to the Open Source Security and Risk Analysis (OSSRA) report from Synopsys.

While codebases containing at least one open source vulnerability remained consistent year over year at 84%, significantly more codebases contained high-risk vulnerabilities in 2023. This can potentially be attributed to variables like economic instability and the consequent layoffs of tech workers, reducing the number of resources available to patch vulnerabilities.

According to the data, the percentage of codebases with high-risk open source vulnerabilities — those that have been actively exploited, have documented proof-of-concept exploits or are classified as remote code execution vulnerabilities — increased from 48% in 2022 to 74% in 2023.

"This year's OSSRA report indicates an alarming rise in high-risk open source vulnerabilities across a variety of critical industries, leaving them at risk for exploitation by cybercriminals," said Jason Schmitt, GM, Synopsys Software Integrity Group. "The increasing pressure on software teams to move faster and do more with less in 2023 has likely contributed to this sharp rise in open source vulnerabilities. Malicious actors have taken note of this attack vector, so maintaining proper software hygiene by identifying, tracking and managing open source effectively is a key element to strengthening the security of the software supply chain."

Additional key findings from the 2024 OSSRA report include:

A "zombie code" apocalypse

Organizations are depending on outdated or inactive open source components. 91% of codebases contained components that were 10 or more versions out-of-date, and nearly half (49%) of codebases contained components that had no development activity within the past two years.

The report also found that the mean age of open source vulnerabilities in the codebases was over 2.5 years old, and nearly a quarter of codebases contained vulnerabilities more than 10 years old.

High-risk open source vulnerabilities permeate across critical industries

The Computer Hardware and Semiconductors industry had the highest percentage of codebases with high-risk open source vulnerabilities (88%), followed closely by Manufacturing, Industrials and Robotics at 87%.

Closer to the middle of the pack, the Big Data, AI, BI and Machine Learning industry had 66% of its codebases impacted by high-risk vulnerabilities.

At the bottom of the list, the Aerospace, Aviation, Automotive, Transportation and Logistics industry still had high-risk vulnerabilities in a third (33%) of its codebases.

Open source license challenges remain

License compliance is an important aspect of effective software supply chain management, but the report found that over half (53%) of the codebases contained open source license conflicts, and 31% of codebases were using code with either no discernible license or a customized license.

Once again, the Computer Hardware and Semiconductors industry ranked highest in percentage of codebases containing license conflicts at 92% followed by Manufacturing, Industrials and Robotics at 81%. Just one noncompliant license in software can result in loss of lucrative intellectual property, time-consuming remediation and delays in getting products to market.

Eight of the top 10 vulnerabilities trace back to one common weakness type

The majority of the open source vulnerabilities that were observed most frequently in this research are classified as Improper Neutralization weaknesses (CWE-707). This weakness type includes the various forms of cross-site scripting that, if exploited, can be quite severe.

Methodology: For the 2024 OSSRA report, the Synopsys Cybersecurity Research Center (CyRC) analyzed anonymized findings from more than 1,000 commercial codebase audits across 17 industries.

Share this

Industry News

April 11, 2024

Check Point® Software Technologies Ltd. announced new email security features that enhance its Check Point Harmony Email & Collaboration portfolio: Patented unified quarantine, DMARC monitoring, archiving, and Smart Banners.

April 11, 2024

Automation Anywhere announced an expanded partnership with Google Cloud to leverage the combined power of generative AI and its own specialized, generative AI automation models to give companies a powerful solution to optimize and transform their business.

April 11, 2024

Jetic announced the release of Jetlets, a low-code and no-code block template, that allows users to easily build any technically advanced integration use case, typically not covered by alternative integration platforms.

April 10, 2024

Progress announced new powerful capabilities and enhancements in the latest release of Progress® Sitefinity®.

April 10, 2024

Buildkite signed a multi-year strategic collaboration agreement (SCA) with Amazon Web Services (AWS), the world's most comprehensive and broadly adopted cloud, to accelerate delivery of cloud-native applications across multiple industries, including digital native, financial services, retail or any enterprise undergoing digital transformation.

April 10, 2024

AppViewX announced new functionality in the AppViewX CERT+ certificate lifecycle management automation product that helps organizations prepare for Google’s proposed 90-day TLS certificate validity policy.

April 09, 2024

Rocket Software is addressing the growing demand for integrated security, compliance, and automation in software development with its latest release of Rocket® DevOps, formerly known as Aldon®.

April 09, 2024

Wind River announced the latest release of Wind River Studio Developer, an edge-to-cloud DevSecOps platform that accelerates development, deployment, and operation of mission-critical systems.

April 09, 2024

appCD announced its generative infrastructure from code solution now supports Azure Kubernetes Service (AKS).

April 09, 2024

Synopsys announced the availability of Black Duck® Supply Chain Edition, a new software composition analysis (SCA) offering that enables organizations to mitigate upstream risk in their software supply chains.

April 09, 2024

DataStax announced innovative integrations with API extensions to Google Cloud’s Vertex AI Extension and Vertex AI Search, offering developers an easier time leveraging their own data.

April 08, 2024

Parasoft introduced C/C++test CT, a comprehensive solution tailored for large teams engaged in the development of safety- and security-critical C and C++ products.

April 08, 2024

Endor Labs announced a strategic partnership with GuidePoint Security.

April 08, 2024

Hasura announced the V3 of its platform, providing on-demand API composability with a new domain-centric supergraph modeling framework, a distributed supergraph execution engine and a rich and extensible ecosystem of open source connectors to address the challenges faced during integration of data and APIs.

April 04, 2024

DataStax has entered into a definitive agreement to acquire AI startup, Logspace, the creators of Langflow, an open source visual framework for building retrieval-augmented generation (RAG) applications.1