The number of high-risk open source vulnerabilities in codebases has increased significantly, according to new research, leaving an increasing number of organizations open to exploitation by cyber criminals.
74% of codebases assessed by Synopsys were found to contain high-risk open source vulnerabilities, marking a 54% surge compared to the year prior, the firm said.
Synopsys’ ‘Open Source Security and Risk Analysis’ (OSSRA) report analyzed anonymized data from audits of over 1,000 commercial codebases across 17 industries.
The study revealed an alarming level of carelessness around the timely patching of digital assets, with 91% of codebases found to contain components that were 10 or more versions out of date.
A further 49% of codebases contained components that had no development activity within the last two years, and 14% of the codebases had vulnerabilities that were over 10 years old.
Eight of the top 10 vulnerabilities identified in the research were found to trace back to a common type of weakness. These flaws were classified as improper neutralization weaknesses, or CWE-707 in the MITRE ATT&CK framework.
Apart from security vulnerabilities, compliance complications are another core concern around the use of open source code in enterprises, the study found, with a large swathe of open source code discovered to be in violation of licensing agreements.
Over half of the codebases contained license conflicts, while 31% contained open source code with no license or a custom license.
Open source vulnerabilities stem from limited resources
The integral role of open source code in almost every aspect of development means businesses need to implement robust security strategies to better-manage the risks that are attached with using these libraries.
The report found 77% of all code in all codebases they assessed originated from an open source repository.
Synopsys’ research speculated that these issues may be the result of a strain on resources available to companies after many have had to downsize their workforce amid economic uncertainty.
Speaking to ITPro in February, Chris Eng, chief research officer at application security specialists Veracode, said the most important step companies can take to mitigate third-party code vulnerabilities is implementing regular patching procedures.
Provide staff with endpoint devices that enable employee productivity
If companies don’t ensure they regularly update their components, these vulnerabilities build up in the form of security debt, ultimately resulting in security professionals facing far more work when they do eventually perform fixes in the codebase.
“With third-party it largely is patching, it’s keeping the library up to date… If you just kept it up to date every time the maintainer released a minor version, you updated from 2.1 to 2.2, there's no breakage barely ever”, Eng explained.
But when software is left unattended for prolonged periods, Eng said the work for security professionals becomes exponentially more difficult as devs try to apply a series of updates without impacting functionality, comparing it to interest piling up on a credit card.
With each update, developers need to run tests to ensure there are no breakages and that the update didn’t deprecate some functionality they were using; so with each missed update it will take security teams exponentially longer to keep open source libraries up to date.
Eng raised a statistic from previous research carried out by Veracode that found the vast majority of developers never update their open source code after implementing it.
“We found a few years ago that 79% of the time developers never update the open source library, after the first time they grab it and download it for their app they never touch it and update it again, so that’s a number that’s got to change.”
