At a time when almost all software contains open source code, at least one known open source vulnerability was detected in 84 per cent of all commercial and proprietary code bases.
This was examined by researchers at application security company Synopsys.
In addition, 48 per cent of all code bases analysed by Synopsys researchers contained high-risk vulnerabilities, which are those that have been actively exploited, already have documented proof-of-concept exploits, or are classified as remote code execution vulnerabilities.
The vulnerability data — along with information on open source license compliance — was included in Synopsys' 2023 Open Source Security and Risk Analysis (OSSRA) report, put together by the company's Cybersecurity Research Center (CyRC).
The report is based on analysis of audits of code bases involved in merger and acquisition transactions and highlights trends in open source usage across 17 industries. (Synopsys' Audit Services unit audits code to identify software risks for companies involved in merger and acquisition deals.)
The audits examined 1,481 code bases for vulnerabilities and open source licensing compliance, and 222 other codebases were analysed only for compliance.
Open source vulnerabilities increase
The OSSRA report is based on code audits done in 2022, in which the number of known open source vulnerabilities rose by 4% from 2021.
“Open source was in nearly everything we examined this year; it made up the majority of the code bases across industries,” the report said, adding that the code bases contained troublingly high numbers of known vulnerabilities that organisations had failed to patch, leaving them vulnerable to exploits.
All code bases examined from companies in the aerospace, aviation, automotive, transportation, and logistics sectors contained some open source code, with open source code making up 73 per cent of total code.
Sixty-three percent of all code in this sector (open source and proprietary) contained vulnerabilities classified as high risk, those with a CVSS severity score of 7 or higher.
In the energy and clean tech sector, 78 per cent of the total code was open source and 69 per cent contained high-risk vulnerabilities.
Though code bases from companies in these sectors had higher percentages of total vulnerabilities than other sectors, "similar findings, to lesser degrees, played out across all industries," according to the report.
Open source adoption jumps
The percentage of open source code has risen in code bases in all industry verticals over the last five years, according to the OSSRA report.
Between 2018 and 2022, for example, the percentage of open source code within scanned code bases grew by 163 per cent in technology for the education sector; 97 per cent in aerospace, aviation, automotive, transportation, and logistics; and 74 per cent in manufacturing and robotics.
“We attribute EdTech’s explosive open source growth to the pandemic; with education pushed online and software serving as its critical foundation,” the report said.
High-risk vulnerabilities rise
Meanwhile, there has been an increase in high-risk vulnerabilities across all sectors. For instance, aerospace, aviation, automotive, transportation, and logistics companies recorded a 232 per cent increase in high-risk vulnerabilities in the 5-year period.
“Much of the software and firmware used in these industries operate within closed systems, which can reduce the likelihood of an exploit and may lead to a lack of urgency in the need to patch it,” Synopsys said.
High-risk vulnerabilities in IoT-related code bases have jumped 130 per cent since 2018.
“This is particularly concerning when we think about the utility of IoT devices; we connect many aspects of our lives to these devices and trust in the inherent safety in doing so,” the researchers noted.
Available patches not applied
Of the 1,481 codebases examined by the researchers that included risk assessments, 91 per cent contained outdated versions of open-source components, which means an update or patch was available but had not been applied.
The reason for this could be that DevSecOps teams might determine that the risk of unintended consequences outweighs whatever benefit would come from applying the newer version. Researchers say that time and resources could also be a reason.
“With many teams already stretched to the limit building and testing new code, updates to existing software can become a lower priority except for the most critical issues,” the report said.
In addition, DevSecOps teams may not know when there is a newer version of an open source component available — if they are aware of the component at all, the report said.
SBOMs help maintain code quality, compliance
To avoid vulnerability exploits and keep open source code updated, organisations should use a software bill of materials (SBOM), the report suggests.
A comprehensive SBOM lists all open source components in applications as well as licenses, versions, and status of patches.
An SBOM of open source components allows organisations to pinpoint at-risk components quickly and prioritise remediation appropriately, the report concludes.