Why So Much Open Source Software Is Vulnerable to Hackers
The Open Source Security and Risk Analysis (OSSRA) report, published by Synopsys — a long-established electronic design automation (EDA) and security provider — describes the current state of open source security, compliance, licensing, and code quality risks in commercial software based on 1,700 audits across 17 global industries. The study revealed that a massive 84% of codebases contained at least one known open source vulnerability — an increase of 4% from last year.
The report is a clear wake-up call for companies that rely on open source software, which has long been the foundation of many different types of application and infrastructure software. It suggests that the first step in remediating business risk from open source, proprietary, and commercial code is to conduct a comprehensive inventory of all software that the business uses, regardless of where it originated or how it was acquired. This would involve creating a Software Bill of Materials (SBOM), which lists all open source components in an application, as well as their licenses, versions, and patch status.
The OSSRA report revealed several other relevant findings. For example:
- There has been significant growth in open source usage during the past five years, with the EdTech sector experiencing the most significant increase; its number of open source instances has grown by 163%.
- The report also found that high-risk vulnerabilities have increased at an alarming rate, with the retail and e-commerce sector seeing an astounding 557% jump in high-risk vulnerabilities since 2019.
- Comparatively, the internet of things (IoT) sector, with 89% of the total code being open source, experienced a 130% increase in high-risk vulnerabilities in the same period. Similarly, the aerospace, aviation, automotive, transportation and logistics vertical was found to have a 232% increase in high-risk vulnerabilities.
- The use of open source components with no licenses has put many organizations at greater risk of violating copyright law than those using licensed components.
- Available code quality and security patches are not being applied often enough to a majority of codebases. Of the 1,480 audited codebases that included risk assessments, 91% contained outdated versions of open source components. This could lead to vulnerabilities being exploited by cybercriminals who are always on the lookout for weaknesses in software supply chains.
Many commercial and proprietary codebases are acquired through merger and acquisition transactions. With companies using hundreds (often thousands) of apps and web services over time, it’s virtually impossible for acquiring companies to know everything there is to know about the vulnerabilities new systems introduce into their folds.
“Vulnerabilities are just part of doing business in the software industry,” Mike McGuire, senior software solutions manager at Synopsys Software Integrity Group, told TNS. “But not all vulnerabilities are created equally. I think the more concerning number are the high-risk vulnerabilities that we found in almost half the code base.”
A number of companies compile their own software and cybersecurity vulnerability reports on a regular basis. These include Cisco Systems, Fortinet, Arctic Wolf, Imperva, and others.
A high-risk vulnerability is defined by the Cybersecurity Research Center this way, McGuire said:
“They take the advisories from numerous (industry) security feeds, analyze them and send them out to our customers. And as part of this analysis, they assign severity scores. When it comes to open source vulnerabilities, they’re using the CVSS scoring system. It (severity) also depends on whether or not there’s an exploit; whether or not there is a fix available; the type of exploit; how easy it is for somebody to go through and actually exploit the application; whether this can be done remotely; and whether you have access to the running instance. So all these (attributes) are taken into consideration for that score. And then that score is what tells us whether or not it’s a high-severity vulnerability,” McGuire said.
Jason Schmitt, general manager of the Synopsys Software Integrity Group, said that the report findings underlined the reality of open source as the underlying foundation of most types of software built today. Schmitt said that a 13% year-over-year increase in the average number of open source components utilized (from 528 to 595) in this year’s audits further reinforced the importance of implementing a comprehensive SBOM.
McGuire said that the key to managing open source risk at the speed of modern development is maintaining complete visibility of application contents. By building this visibility into the application lifecycle, he said, businesses can arm themselves with the information needed to make informed, timely decisions regarding risk resolution.
Synopsys, based in Mountain View, Calif., develops electronic products and software applications for electronic design automation (EDA), semiconductor IP, software quality, and security solutions.