Posted by Robert Vamosi on June 6, 2017
In a new report, Synopsys identifies that 50% of the vulnerabilities found in software today are more than four years old. In almost every case, a newer, more secure version of the vulnerable software component is available.
The Synopsys report, The State of Software Composition 2017 uses the Synopsys Software Composition Analysis tool, Black Duck Binary Analysis, to analyze applications from January 1, 2016 through December 31, 2016. The research analyzes the composition of 128,782 software applications. It identifies 16,868 unique versions of open source and commercial software components. Findings contain a total of almost 10,000 unique vulnerabilities.
“By analyzing large data sets and identifying trends and problem areas, we are able to provide our customers with valuable intelligence to help them keep their software secure and up to date,” said Andreas Kuehlmann, Senior Vice President and General Manager for the Synopsys Software Integrity Group. “Over time all software starts to decay, leaving a previously secure software package open to exploits and vulnerabilities. The message to the software industry should not be whether to use open source software, but whether you are keeping it updated to prevent attacks.”
Other key findings include:
In today’s Fault Injection podcast, focusing on software composition, Chris Clark, Principal Security Engineer at Synopsys, said of the report, “We talk about the software development lifecycle in some of our programs. As a developer, when I look at the code and I choose the libraries and I’ve developed my software, usually that gets chucked over the fence to another team. What we’re also implying here is that another team has to have the tools to be able to monitor this product that’s been released and is out in the market. Without that information, without that continuous monitoring, you are going to be reactionary. You are going to be event driven.”
Get the latest AppSec news and trends sent directly to you.