84 percent of codebases contain known open source vulnerabilities

A new study, based on the results of more than 1,700 audits of commercial and proprietary codebases involved in merger and acquisition transactions, finds 84 percent contain at least one known open source vulnerability, an increase of almost four percent from last year.

The Open Source Security and Risk Analysis (OSSRA) report, produced by the Synopsys Cybersecurity Research Center (CyRC), shows growing use of open source. In the education technology sector it's grown by 163 percent, with educational courses and instructor/student interactions increasingly pushed online.

Other areas experiencing a large spike in open source growth include the aerospace, aviation, automotive, transportation and logistics sector, with a 97 percent increase, and manufacturing and robotics with 74 percent growth.

Since 2019, high risk vulnerabilities in the retail and eCommerce sector have jumped by 557 percent. The Internet of Things sector, with 89 percent of the total code being open source, has seen a 130 percent increase in high-risk vulnerabilities in the same period. Similarly, aerospace, aviation, automotive, transportation and logistics saw a 232 percent increase in high-risk vulnerabilities.

The report also finds that 31 percent of codebases are using open source with no discernible license or with customized licenses. This is a 55 percent increase from last year's OSSRA report. The lack of a license associated with open source code, or a variant of another open source license, may place undesirable requirements on the licensee and will often require legal evaluation for possible IP issues or other legal implications.

"The key to managing open source risk at the speed of modern development is maintaining complete visibility of application contents," says Mike McGuire, senior software solutions manager within the Synopsys Software Integrity Group. "By building this visibility into the application lifecycle, businesses can arm themselves with the information needed to make informed, timely decisions regarding risk resolution. Organizations leveraging any type of third-party software should rightfully assume that it contains open source. Verifying this, and staying on top of the associated risk, is as simple as obtaining an SBOM -- something easily provided by a vendor taking the necessary steps to secure their software supply chain."

The full report is available from the Synopsis site.

Image credit: Artur Szczybylo/Shutterstock