A new report released today by electronic design automation company Synopsys Inc. uncovers a disturbing surge in high-risk vulnerabilities in commercial codebases, increasing the risk of hacking and data theft.

The ninth edition of the Synopsys Open Source Security and Risk Analysis report found that though codebases containing at least one open-source vulnerability remained consistent year-over-year at 84%, significantly more codebases contained high-risk vulnerabilities in 2023. The percentage of codebases with high-risk open source vulnerabilities, those that have been actively exploited, have documented proof-of-concept exploits or are classified as remote code execution vulnerabilities, rose from 48% in 2022 to 74% in 2023.

The surge is attributed in the report to variables such as economic instability and the consequent layoffs of tech workers. The reduction in the number of resources, including staff, means the ability to patch vulnerabilities has declined, resulting in an increase in unpatched vulnerabilities.

“This year’s OSSRA report indicates an alarming rise in high-risk open source vulnerabilities across a variety of critical industries, leaving them at risk for exploitation by cybercriminals,” said Jason Schmitt, general manager of the Synopsys Software Integrity Group. “The increasing pressure on software teams to move faster and do more with less in 2023 has likely contributed to this sharp rise in open source vulnerabilities.”

Additional findings from the report include an increase in “zombie code,” the use of outdated or inactive open-source components within software codebases, some of which have not been updated or actively developed for over two years. Some 91% of codebases were found to contain components that were ten or more versions out-of-date and 49% contained components that had no development activity within the past two years.

The report found that the mean age of open source vulnerabilities in the codebases was over two and a half years old, and nearly a quarter of codebases contained vulnerabilities more than 10 years old.

High-risk open-source vulnerabilities were found to permeate across critical industries. The computer hardware and semiconductor industry had the highest percentage of codebases, with high-risk open source vulnerabilities at 88%.

Manufacturing, industrials and robotics industries were only just behind at 87%. Through the middle of the pack, big data, artificial intelligence, business intelligence and the machine learning industry had two-thirds of its codebases affected by high-risk vulnerabilities. At the bottom were aerospace, aviation, automotive, transportation and logistics, with high-risk vulnerabilities in a third of its codebases.

Open-source license challenges are highlighted in the report, with 53% of the codebases found to contain open source license conflicts and 31% of codebases were found to be using code with either no discernible license or a customized license. Computer hardware and semiconductors companies ranked highest in the percentage of codebases containing license conflicts at 92%, followed by manufacturing, industrials and robotics at 81%.  It’s noted that only one noncompliant license in software can result in the loss of lucrative intellectual property, time-consuming remediation and delays in getting products to market.

Eight of the top 10 vulnerabilities were also found to trace back to one common weakness type — improper neutralization weaknesses. Those involve vulnerabilities where input is not properly sanitized, leading to potential security risks such as cross-site scripting attacks.

Image: DALL-E 3