The number of commercial code bases containing high-risk vulnerabilities integrated through open source components has increased dramatically year over year.
A Synopsys report found that nearly three-quarters (74%) contained vulnerabilities that are either actively being exploited, have proof of concepts (PoC), or are classified as remote code execution flaws. The figure is higher than 48% a year ago.
While researchers don't know why the number of high-risk vulnerabilities increased so significantly in just one year, they speculate that economic instability and subsequent layoffs of tech workers could have something to do with it. The overall state of the market has reduced the amount of resources available to patch vulnerabilities, leading to the results mentioned above.
Semiconductor vertical at risk
While the risk is present in several industries, the computer hardware and semiconductor industry has the worst situation, with 88% of code bases containing high-risk open source flaws.
Manufacturing, Industry and Robotics came in second place with 87%. The Big Data, AI, BI and machine learning industry had 66%, while the aerospace, aviation, automotive, transportation and logistics industry was at the bottom at 33%.
For Jason Schmitt, CEO of Synopsys Software Integrity Group, the report's results are “alarming.” “Increasing pressure on software teams to move faster and do more with less in 2023 has likely contributed to this sharp rise in open source vulnerabilities,” he said. “Malicious actors have taken note of this attack vector, so maintaining proper software hygiene by identifying, tracking, and effectively managing open source is a key element of strengthening software supply chain security.” “.
Elsewhere in the report, Synopsys also said that the percentage of codebases containing at least one open source vulnerability “remained constant” year over year, at 84%.
