Open Source Flaws Found in 84% of Codebases

More than four out of five (84%) codebases contain at least one known open source vulnerability.

The figures come from Synopsys’ new Open Source Security and Risk Analysis Report (OSSRA), which mentions an almost 4% increase compared to last year.

The research document also mentions a 163% growth in the edtech sector’s adoption of open source, followed by the aerospace, aviation, automotive, transportation and logistics sectors (97%) and manufacturing and robotics (74%).

“The key to managing open source risk at the speed of modern development is maintaining complete visibility of application contents,” commented Mike McGuire, senior software solutions manager within the Synopsys Software Integrity Group.

“By building this visibility into the application lifecycle, businesses can arm themselves with the information needed to make informed, timely decisions regarding risk resolution.”

High-risk flaws over the last five years have grown substantially from 2019, particularly in the retail and e-commerce sectors (557%).

Further, Synopsys found that 31% of codebases rely on open source with no discernible license or with customized licenses, a 55% increase from last year.

Finally, 91% of the audited codebases contained outdated versions of open source components.

“Organizations leveraging any type of third-party software should rightfully assume that it contains open source,” McGuire explained.

“Verifying this, and staying on top of the associated risk, is as simple as obtaining an SBOM [software Bill of Materials] – something easily provided by a vendor taking the necessary steps to secure their software supply chain.”

The 2023 OSSRA report compiles the results of over 1700 audits of commercial and proprietary codebases from merger and acquisition transactions and highlights trends across 17 industries.

It also contains various recommendations for companies to better face the security risks of open source development and use.

The new data comes weeks after Sonatype cybersecurity researchers uncovered more than 700 malicious open source packages on the npm and PyPI open source registries.