Synopsys Report Exposes Extent of Open Source Software Security Risks
A report published today by Synopsys finds nearly three-quarters (74%) of the 1,067 commercial codebases scanned contain open source components impacted by high-risk vulnerabilities.
Overall, the report finds nearly every codebase (96%) contained some open source code, with 84% having at least one vulnerability.
In total, 77% of the code scanned could be traced back to an open source project. The challenge is that 91% of the codebases contained components that were 10 or more versions out of date, and nearly half (49%) of codebases contained components that had seen no development activity within the past two years.
The report also found the mean age of open source vulnerabilities in the codebases was over 2.5 years old, and nearly a quarter of codebases contained vulnerabilities that were more than 10 years old.
The report finds that the most common type of vulnerability involved improper neutralization flaws (CWE-707) that could be used to enable a cross-site scripting attack.
Mike McGuire, a senior software solutions manager for Synopsys, makes it clear that an increasing percentage of codebases are based on existing freely available software that has some inherent risks.
In addition, far too many organizations are not tracking effectively tracking licenses that, in terms of conditions, vary widely from one open source project to another. For example, the report finds more than half (53%) of the codebases contained open source license conflicts, and 31% of codebases were using code with either no discernible license or a customized license.
There’s no doubt that open source software plays a crucial role in enabling innovation, but the more dependent organizations become on it, the greater the chance that cybercriminals will exploit a known vulnerability that is fairly easy to discover, noted McGuire. Organizations are not likely to revert to relying on custom proprietary code anytime soon ,because it’s often just as probable that similar vulnerabilities will still be present in their codebases, but organizations do need to proactively identify vulnerabilities to reduce their overall level of risk, added McGuire.
Of course, organizations are not always able to remediate vulnerabilities in open source code without help from the maintainers of the original project. The challenge is many of those maintainers are unpaid volunteers who don’t always make applying patches to software an urgent priority.
Ideally, organizations would scan for vulnerabilities any time open source software is downloaded as part of any effort to shift more responsibility for security further left toward developers. Unfortunately, developers don’t always consistently run scans, so organizations also need to scan codebases both before they are deployed and after they are updated. In effect, rather than shifting responsibility for application security all the way to the left, organizations need to extend it to include application developers, said McGuire.
In the meantime, however, it’s apparent cybercriminals are more aware of the numerous vulnerabilities in codebases. As they become more adept at exploiting those vulnerabilities, the odds there will be a major cybersecurity incident only increase in an era where the amount of code being deployed in production environments with each passing day only continues to expand.
