Most codebases contain a huge amount of open source vulnerabilities
The number of commercial codebases containing high-risk vulnerabilities, integrated via open source components, has increased dramatically year over year.
A report from Synopsys found that nearly three-quarters (74%) contain vulnerabilities that are actively exploited, have proof-of-concepts (PoC), or are classified as remote code execution flaws. This number is up from 48% a year ago.
While the researchers don’t know why the number of high-risk vulnerabilities has increased so significantly in just a year, they speculate that economic instability and the resulting layoffs of technology workers may have something to do with it. The general state of the market has reduced the number of resources available to patch vulnerabilities, leading to the above-mentioned results.
Semiconductor vertical in danger
While the risk is present across industries, the computer hardware and semiconductor industries bear the brunt, with 88% of codebases containing high-risk open source bugs.
Manufacturing, Industry and Robotics came in second with 87%. The Big Data, AI, BI and Machine Learning industries had 66%, while the aerospace, aviation, automotive, transportation and logistics sectors were at the very bottom with 33%.
For Jason Schmitt, managing director of Synopsys Software Integrity Group, the report’s findings are “alarming.” “Increasing pressure on software teams to move faster and do more with less by 2023 has likely contributed to this sharp increase in open source vulnerabilities,” he says. “Malicious actors have taken notice of this attack vector, so maintaining good software hygiene by effectively identifying, tracking, and managing open source is a key element to strengthening the security of the software supply chain.”
Elsewhere in the report, Synopsys also said that the percentage of codebases with at least one open source vulnerability “remained consistent” year after year at 84%.