The number of commercial codebases containing high-risk vulnerabilities integrated through open source components has increased dramatically year-on-year.
A report from Synopsys found almost three-quarters (74%) contained vulnerabilities that are being actively exploited, have proof-of-concepts (PoC), or are classified as remote code execution flaws. The number is up from 48% a year ago.
While the researchers don’t know why the number of high-risk vulnerabilities increased so significantly in just a year, they speculate that economic instability and the consequent layoffs of tech workers might have something to do with it. The overall state of the market has reduced the number of resources available to patch vulnerabilities, leading to the above-mentioned results.
Semiconductor vertical at risk
While the risk is present in various industries, the Computer Hardware and Semiconductor industry has it the worst, with 88% of codebases containing high-risk open-source flaws.
Manufacturing, Industrial, and Robotics, were close second with 87%. Big Data, AI, BI and Machine Learning industry had 66%, while Aerospace, Aviation, Automotive, Transportation and Logistics industry were at the very bottom, with 33%.
For Jason Schmitt, general manager at Synopsys Software Integrity Group, the report’s findings are “alarming”. “The increasing pressure on software teams to move faster and do more with less in 2023 has likely contributed to this sharp rise in open source vulnerabilities,” he said. “Malicious actors have taken note of this attack vector, so maintaining proper software hygiene by identifying, tracking and managing open source effectively is a key element to strengthening the security of the software supply chain.”
Elsewhere in the report, Synopsys also said that the percentage of codebases containing at least one open-source vulnerability “remained consistent” year-over-year, at 84%.
More from TechRadar Pro
- Russian hackers targeting JetBrains TeamCity security flaws
- Here's a list of the best firewalls around today
- These are the best endpoint security tools right now