Most codebases contain a huge amount of open source vulnerabilities

An abstract image of padlocks overlaying a digital background.
(Image credit: Shutterstock) (Image credit: Shutterstock)

The number of commercial codebases containing high-risk vulnerabilities integrated through open source components has increased dramatically year-on-year. 

A report from Synopsys found almost three-quarters (74%) contained vulnerabilities that are being actively exploited, have proof-of-concepts (PoC), or are classified as remote code execution flaws. The number is up from 48% a year ago.

While the researchers don’t know why the number of high-risk vulnerabilities increased so significantly in just a year, they speculate that economic instability and the consequent layoffs of tech workers might have something to do with it. The overall state of the market has reduced the number of resources available to patch vulnerabilities, leading to the above-mentioned results.

Semiconductor vertical at risk

While the risk is present in various industries, the Computer Hardware and Semiconductor industry has it the worst, with 88% of codebases containing high-risk open-source flaws. 

Manufacturing, Industrial, and Robotics, were close second with 87%. Big Data, AI, BI and Machine Learning industry had 66%, while Aerospace, Aviation, Automotive, Transportation and Logistics industry were at the very bottom, with 33%.

For Jason Schmitt, general manager at Synopsys Software Integrity Group, the report’s findings are “alarming”. “The increasing pressure on software teams to move faster and do more with less in 2023 has likely contributed to this sharp rise in open source vulnerabilities,” he said. “Malicious actors have taken note of this attack vector, so maintaining proper software hygiene by identifying, tracking and managing open source effectively is a key element to strengthening the security of the software supply chain.”

Elsewhere in the report, Synopsys also said that the percentage of codebases containing at least one open-source vulnerability “remained consistent” year-over-year, at 84%.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.