CybersecuritySecurity NewswireCybersecurity News

The average open source vulnerability is 2.5 years old

By Security Staff
Two monitors and keyboard on desk

Image via Unsplash

February 27, 2024

Open source software security was analyzed in a recent report by Synopsys. According to the report, nearly three-quarters of commercial codebases assessed for risk contain open source components impacted by high-risk vulnerabilities.

While codebases containing at least one open source vulnerability remained consistent year over year at 84%, significantly more codebases contained high-risk vulnerabilities in 2023. According to the data, the percentage of codebases with high-risk open source vulnerabilities — those that have been actively exploited, have documented proof-of-concept exploits or are classified as remote code execution vulnerabilities — increased from 48% in 2022 to 74% in 2023.

Ninety-one percent of codebases contained components that were 10 or more versions out-of-date, and 49% of codebases contained components that had no development activity within the past two years. The report also found that the mean age of open source vulnerabilities in the codebases was over 2.5 years old, and nearly a quarter of codebases contained vulnerabilities more than 10 years old.

High-risk open source vulnerabilities permeate across critical industries: The computer hardware and semiconductors industry had the highest percentage of codebases with high-risk open source vulnerabilities (88%), followed closely by manufacturing, industrials and robotics at 87%. Closer to the middle of the pack, the big data, AI, BI and machine learning industry had 66% of its codebases impacted by high-risk vulnerabilities. At the bottom of the list, the aerospace, aviation, automotive, transportation and logistics industry still had high-risk vulnerabilities in a third (33%) of its codebases.

The report found that over half (53%) of the codebases contained open source license conflicts, and 31% of codebases were using code with either no discernible license or a customized license. The majority of the open source vulnerabilities that were observed most frequently in this research are classified as Improper Neutralization weaknesses (CWE-707).

Read the full report here.

KEYWORDS: code cyber security open source security software security vulnerability management

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Related Articles

Related Products

See More ProductsSee More Products

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!