Synopsys, Inc. today released the ninth edition of the annual “Open Source Security and Risk Analysis” (OSSRA) report.
The research highlights that nearly three-quarters of commercial codebases assessed for risk contain open source components impacted by high-risk vulnerabilities, representing a sharp uptick from the previous year.
In the 2024 OSSRA report, the Synopsys Cybersecurity Research Center (CyRC) analyses anonymised findings from more than 1,000 commercial codebase audits across 17 industries.
The report provides security, development and legal teams with a comprehensive view of the open source landscape, including trends in the adoption and use of open source software as well as the prevalence of security vulnerabilities, and software licensing and code quality risks.
While codebases containing at least one open source vulnerability remained consistent year over year at 84%, significantly more codebases contained high-risk vulnerabilities in 2023. This can potentially be attributed to variables like economic instability and the consequent layoffs of tech workers, reducing the number of resources available to patch vulnerabilities.
According to the data, the percentage of codebases with high-risk open source vulnerabilities — those that have been actively exploited, have documented proof-of-concept exploits or are classified as remote code execution vulnerabilities — increased from 48% in 2022 to 74% in 2023.
“This year’s OSSRA report indicates an alarming rise in high-risk open source vulnerabilities across a variety of critical industries, leaving them at risk for exploitation by cybercriminals,” said Jason Schmitt, general manager, Synopsys Software Integrity Group.
“The increasing pressure on software teams to move faster and do more with less in 2023 has likely contributed to this sharp rise in open source vulnerabilities. Malicious actors have taken note of this attack vector, so maintaining proper software hygiene by identifying, tracking and managing open source effectively is a key element to strengthening the security of the software supply chain.”
Leave a Comment