DevSecOps, Cloud Security, Supply chain

Report: Overwhelming majority of codebases have open source vulnerabilities, half deemed high-risk

Computer code with function error text displayed on pixelated screen with colorful words on a dark background

Despite the industry’s increasing focus on software supply chain security, the overwhelming majority of organizations’ software codebases still contain high-risk open source vulnerabilities, according to a new report from Synopsys.  

The company, which provides application security services, said in its annual Open Source Security and Risks Analysis (OSSRA) that among the 1,703 codebases across 17 industries examined in 2022, 84% of codebases contained at least one known open source vulnerability, and nearly half (48%) of those were considered high-risk.  

“While the security industry has become more aware of software supply chain issues in recent years, our report shows that many organizations still have trouble managing open source usage effectively and safely,” said Michael McGuire, senior software solutions manager at Synopsys.  

The Log4j vulnerability was just one of many vulnerabilities highlighting how an increasing number of organizations have adopted free open source code without proper vulnerability management process, making them ripe for potential exploitation.  

In fact, 96% of the codebases audited in the report contained at least some programming pulled from open source projects or repositories, and the average organization had 595 different open source components in their software.  

The report also looked at previous five-year OSSRA report data and concluded that the risks of open source vulnerability varied across different sectors.  

The retail and E-commerce sector has had a 557% increase in high-risk open source vulnerabilities since 2019, followed by the Aerospace, Aviation, Automotive, Transportation, and Logistics vertical and the Internet of Things, experiencing 232% and 130% increases, respectively. 

McGuire highlighted that the increasing amount of open source vulnerabilities associated with IoT is particularly concerning as its devices connect to many aspects of people’s lives.  

“IoT is a relatively immature industry with strong competition. Many companies are spending much time innovating unique features to differentiate their products in the market. However, developing these features from scratch can be time-consuming and costly, so they heavily rely on open source projects to help them quickly build the underlying functionality,” McGuire said.  

According to the report, 100% of codebases scanned in the IoT vertical contain open source, and 53% had high-risk vulnerabilities in 2022.  

“While open source vulnerabilities and IoT devices each get attention, the connection between them often does not,” said Bud Broomhead, chief executive at Viakoo. “Synopsys’ report makes the connection very clear, and what makes this alerting is that while almost all organizations have deployed solutions to address IT security, far fewer have yet taken action on IoT vulnerabilities.” 

Kristen Bell, director of application security engineering at GuidePoint Security, said organizations should eliminate some of the “tail wagging the dog” by maturing their current vulnerability management process and standards to address the persistent threat of open source vulnerabilities.  

Synopsys data also indicates that developers continue to use components that are no longer being actively maintained, something that demonstrates the urgent need to put better governance practices in place, Bell noted.  

In addition, McGuire added that organizations should do better with data sanitization.  

“I say this because a handful of the most prevalent high-severity vulnerabilities we identified in the codebases have ‘data sanitization’ as a common denominator. So it appears that development teams are struggling with sanitizing the data their applications take as input from users or other interfaces,” McGuire said. “This doesn’t necessarily mean that they are unable to do it or don’t know how, but it can expose that these teams are just trusting that the sanitization job will be done by some other method or component they’re using.” 

Menghan Xiao

Menghan Xiao is a cybersecurity reporter at SC Media, covering software supply chain security, workforce/business, and threat intelligence. Before SC Media, Xiao studied journalism at Northwestern University, where she received a merit-based scholarship from Medill and Jack Modzelewski Scholarship Fund.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.