STOCK TITAN

New Synopsys Report Finds 74% of Codebases Contained High-Risk Open Source Vulnerabilities, Surging 54% Since Last Year

Rhea-AI Impact
(Low)
Rhea-AI Sentiment
(Negative)
Tags
Rhea-AI Summary
Synopsys, Inc. released the ninth edition of the annual 'Open Source Security and Risk Analysis' report, revealing a significant increase in high-risk open source vulnerabilities in commercial codebases. The report highlights key findings such as the rise in high-risk vulnerabilities, outdated components, industry-specific vulnerabilities, license conflicts, and common weakness types.
Positive
  • None.
Negative
  • None.

Insights

The surge in high-risk vulnerabilities within commercial codebases, as indicated by the OSSRA report, is a critical concern for the cybersecurity community. The increase from 48% to 74% in such vulnerabilities year-over-year is not just a statistical concern, but a real-world indicator of potential threats to business operations and data integrity. Cybersecurity experts must now grapple with the growing complexity of software supply chains and the urgent need for robust vulnerability management practices.

Organizations must prioritize the identification and patching of high-risk vulnerabilities, particularly those that are old or have known exploits. The report's revelation of prevalent 'zombie code'—outdated and inactive open source components—underscores the necessity for businesses to conduct regular software audits and update their dependencies. This is crucial not only for security but also for maintaining functionality and compatibility with other software ecosystems.

From a compliance perspective, the OSSRA report's findings on open source license conflicts are alarming, with over half of the codebases containing such issues. The high incidence of license conflicts, especially in the Computer Hardware and Semiconductors industry, poses significant legal risks. Companies could face litigation, fines, or be forced to disclose proprietary code if they are found to be non-compliant with open source licenses.

It is essential for businesses to implement strict license management protocols and ensure that all open source components are used in accordance with their respective licenses. Failure to do so can lead to intellectual property loss and delays in product releases, which in turn can have severe financial repercussions and damage to the company's reputation.

The prevalence of outdated open source components, as highlighted by the OSSRA report, presents a significant challenge for development teams. The fact that 91% of codebases contain components that are several versions behind is a testament to the difficulties in maintaining current software in a fast-paced development environment.

Development managers must address the technical debt associated with such 'zombie code' to prevent security vulnerabilities and ensure the longevity and reliability of their software products. This includes implementing automated tools for tracking and updating dependencies, as well as fostering a culture of continuous integration and delivery that emphasizes regular updates and security checks.

The Computer Hardware and Semiconductors industry contained the most open source vulnerabilities classified as high risk, followed by Manufacturing, Industrials and Robotics

SUNNYVALE, Calif., Feb. 27, 2024 /PRNewswire/ -- Synopsys, Inc. (Nasdaq: SNPS) today released the ninth edition of the annual "Open Source Security and Risk Analysis" (OSSRA) report. The research highlights that nearly three-quarters of commercial codebases assessed for risk contain open source components impacted by high-risk vulnerabilities, representing a sharp uptick from the previous year.

In the 2024 OSSRA report, the Synopsys Cybersecurity Research Center (CyRC) analyzes anonymized findings from more than 1,000 commercial codebase audits across 17 industries. The report provides security, development and legal teams with a comprehensive view of the open source landscape, including trends in the adoption and use of open source software as well as the prevalence of security vulnerabilities, and software licensing and code quality risks.

While codebases containing at least one open source vulnerability remained consistent year over year at 84%, significantly more codebases contained high-risk vulnerabilities in 2023. This can potentially be attributed to variables like economic instability and the consequent layoffs of tech workers, reducing the number of resources available to patch vulnerabilities. According to the data, the percentage of codebases with high-risk open source vulnerabilities — those that have been actively exploited, have documented proof-of-concept exploits or are classified as remote code execution vulnerabilities — increased from 48% in 2022 to 74% in 2023.

"This year's OSSRA report indicates an alarming rise in high-risk open source vulnerabilities across a variety of critical industries, leaving them at risk for exploitation by cybercriminals," said Jason Schmitt, general manager, Synopsys Software Integrity Group. "The increasing pressure on software teams to move faster and do more with less in 2023 has likely contributed to this sharp rise in open source vulnerabilities. Malicious actors have taken note of this attack vector, so maintaining proper software hygiene by identifying, tracking and managing open source effectively is a key element to strengthening the security of the software supply chain."

Additional key findings from the 2024 OSSRA report include

  • A "zombie code" apocalypse: Organizations are depending on outdated or inactive open source components. Ninety-one percent of codebases contained components that were 10 or more versions out-of-date, and nearly half (49%) of codebases contained components that had no development activity within the past two years. The report also found that the mean age of open source vulnerabilities in the codebases was over 2.5 years old, and nearly a quarter of codebases contained vulnerabilities more than 10 years old.
  • High-risk open source vulnerabilities permeate across critical industries: The Computer Hardware and Semiconductors industry had the highest percentage of codebases with high-risk open source vulnerabilities (88%), followed closely by Manufacturing, Industrials and Robotics at 87%. Closer to the middle of the pack, the Big Data, AI, BI and Machine Learning industry had 66% of its codebases impacted by high-risk vulnerabilities. At the bottom of the list, the Aerospace, Aviation, Automotive, Transportation and Logistics industry still had high-risk vulnerabilities in a third (33%) of its codebases.
  • Open source license challenges remain: License compliance is an important aspect of effective software supply chain management, but the report found that over half (53%) of the codebases contained open source license conflicts, and 31% of codebases were using code with either no discernible license or a customized license. Once again, the Computer Hardware and Semiconductors industry ranked highest in percentage of codebases containing license conflicts at 92% followed by Manufacturing, Industrials and Robotics at 81%. Just one noncompliant license in software can result in loss of lucrative intellectual property, time-consuming remediation and delays in getting products to market.
  • Eight of the top 10 vulnerabilities trace back to one common weakness type: The majority of the open source vulnerabilities that were observed most frequently in this research are classified as Improper Neutralization weaknesses (CWE-707). This weakness type includes the various forms of cross-site scripting that, if exploited, can be quite severe.

To learn more about the 2024 OSSRA findings, download a copy of the report, read the blog post or register for the March 28th webinar.

About the Synopsys Software Integrity Group
Synopsys Software Integrity Group provides integrated solutions that transform the way development teams build and deliver software, accelerating innovation while addressing business risk. Our industry-leading portfolio of software security products and services is the most comprehensive in the world and interoperates with third-party and open source tools, allowing organizations to leverage existing investments to build the security program that's best for them. Only Synopsys offers everything you need to build trust in your software. Learn more at www.synopsys.com/software.

About Synopsys
Catalyzing the era of pervasive intelligence, Synopsys, Inc. (Nasdaq: SNPS) delivers trusted and comprehensive silicon to systems design solutions, from electronic design automation to silicon IP and system verification and validation. We partner closely with semiconductor and systems customers across a wide range of industries to maximize their R&D capability and productivity, powering innovation today that ignites the ingenuity of tomorrow.  Learn more at www.synopsys.com.

Editorial Contact:
Liz Samet
Synopsys, Inc.
336-414-6753
esamet@synopsys.com

 

Cision View original content to download multimedia:https://www.prnewswire.com/news-releases/new-synopsys-report-finds-74-of-codebases-contained-high-risk-open-source-vulnerabilities-surging-54-since-last-year-302071630.html

SOURCE Synopsys, Inc.

FAQ

What report did Synopsys, Inc. release?

Synopsys, Inc. released the ninth edition of the annual 'Open Source Security and Risk Analysis' report.

What percentage of codebases assessed for risk contain open source components impacted by high-risk vulnerabilities?

Nearly three-quarters of commercial codebases assessed for risk contain open source components impacted by high-risk vulnerabilities.

What was the increase in codebases with high-risk open source vulnerabilities from 2022 to 2023?

The percentage of codebases with high-risk open source vulnerabilities increased from 48% in 2022 to 74% in 2023.

What percentage of codebases contained components that were 10 or more versions out-of-date?

Ninety-one percent of codebases contained components that were 10 or more versions out-of-date.

Which industry had the highest percentage of codebases with high-risk open source vulnerabilities?

The Computer Hardware and Semiconductors industry had the highest percentage of codebases with high-risk open source vulnerabilities at 88%.

What common weakness type do eight of the top 10 vulnerabilities trace back to?

Eight of the top 10 vulnerabilities trace back to Improper Neutralization weaknesses (CWE-707).

Synopsys Inc

NASDAQ:SNPS

SNPS Rankings

SNPS Latest News

SNPS Stock Data

80.89B
153.61M
0.43%
94.92%
1.73%
Software - Infrastructure
Services-prepackaged Software
Link
United States of America
SUNNYVALE