Partner content
Half of apps have high-risk vulnerabilities due to open source
The proportion of open source codebases with vulnerabilities has continued to remain level over the past two years, but the number of applications with high-risk vulnerabilities has dropped to its lowest level in four years.
That’s according to the “2023 Open Source Security and Risk Analysis” (OSSRA) report, published by Synopsys on Feb. 22. The annual study, based on audits of more than 1,700 applications, found that almost every software program (96%) included some kind of open source software component, with the average codebase consisting of 76% open source code. While the number of codebases with at least one vulnerability remained mostly stable over the past three years at slightly more than 80% — 84% in 2022 — the number of applications with high-risk vulnerabilities has dropped to about half (48%) of all applications tested, from a peak of about 60% in 2020.
Overall, the data shows some bright spots in the struggle against vulnerable dependencies, of which the average application has 595, but there’s no broad trend toward greater application security, says Mike McGuire, a senior software solutions manager at Synopsys Software Integrity Group.
“Organizations are struggling to keep up with the scale of open source usage,” he says. “If you take those almost 600 components per application on average, and multiply that by the number of vulnerabilities that are disclosed on an annual basis, then you can really, really start to drown in the work.”
Open source components, and the dependencies on which popular application frameworks rely, continue to pose security problems for software makers and application developers. The ubiquity of some components — such as Log4j in the Java ecosystem — continues to cause security issues for many applications based on open source frameworks.
Outdated Dependencies Are Common
Applications that include a lot of components — and by extension, those components’ dependencies — can have deep dependency trees that make it hard to find every vulnerability. Nearly all applications (91%), for example, included at least one open source component that has no development in the past two years, a likely sign that the project is no longer being maintained and, therefore, represents a security risk.
Nearly one in eight applications also had more than 10 different versions of a specific codebase, with each likely imported from a different component and that component’s dependencies.
Failing to eliminate those older codebases represents a risk, Synopsys stated in the OSSRA report.
To read the complete article, visit Dark Reading.
