Majority of commercial codebases contain high-risk open-source code
The report points to the need for companies to patch open- source software and components, said Mike McGuire, senior software solutions manager at Synopsys Software Integrity Group.
“It’s unpatched vulnerabilities that have led to some of the most significant data breaches,” he said. “Arguably, it’s the duty of these companies to address vulnerabilities, especially if they’re a commercial software vendor, or are otherwise handling sensitive information.”
Still, not all vulnerabilities are created equal, and there are probably a “small handful” of vulnerabilities identified in the report that need to be resolved immediately, outside of a regular release cycle, he added.
“It’s crucial that an organization adopt the processes and resources to not only identify vulnerabilities, but also effectively prioritize which ones need urgent attention,” McGuire said.
Many eyes do help
Advocates of open-source software have long argued that many eyes on code lead to fewer bugs and vulnerabilities, and the report doesn’t disprove that assertion, McGuire said.
“If anything, the report supports that belief,” he said. “The fact that there are so many disclosed vulnerabilities and CVEs serves as a testament to how active, vigilant, and reactive the open-source community is, especially when it comes to addressing security issues. It’s this very community that is doing the discovery, disclosure, and patching work.”