Electronic design automation firm Synopsys Inc. today released a new report on the security risks in open-source software — and the findings are concerning.

The 2020 Open Source Security and Risk Analysis report from the Synopsys Cybersecurity Research Center was based on over 1,250 audits of commercial codebases. Noting that open source continues to play a critical role in today’s software ecosystem, with 99% of commercial codebases containing at least one open-source component, the first identifiable problem came with abandoned open-source code.

According to the report, 91% of commercial codebases audited contained components that either were more than four years out of date or had seen no development activity in the last two years. Three-quarters of audited codebases contained open source components with known security vulnerabilities, up from 60% the previous year. And nearly half of the audited commercial codebases contained high-risk vulnerabilities, compared with 40% just 12 months prior.

“It’s difficult to dismiss the vital role that open source plays in modern software development and deployment, but it’s easy to overlook how it impacts your application risk posture from a security and license compliance perspective,” Tim Mackey, principal security strategist of the Synopsys Cybersecurity Research Center, said in a statement. “Maintaining an accurate inventory of third-party software components, including open-source dependencies, and keeping it up to date is a key starting point to address application risk on multiple levels.”

The report wasn’t all negative in terms of open-source code usage. Use was found to be soaring, with an average of 445 open-source components per codebase, up from 298 in 2018. Seventy percent of the audited code was identified as open source, a figure that increased from 60% in 2018 and has nearly doubled since 2015, when the figure was 36%.

Licensing was also highlighted in the report as an issue. Open-source license conflicts are said to put intellectual property at risk. 68% of commercial codebases audited were found to contain some form of open-source license conflict and 33% contained open-source components with no identifiable license.

The prevalence of licensing issues was found to vary between different industries. Internet and mobile apps topped the list at 93%, while in virtual reality, gaming, entertainment and media the figure came in at 59%.

Image: Synopsis