50% of the vulnerabilities we found are more than four years old. In almost every case, newer versions of these vulnerable software components are available.
In a new report, Synopsys finds that 50% of the vulnerabilities found in software today are more than four years old. In almost every case, a newer, more secure version of the vulnerable software component is available.
The State of Software Composition 2017 is based on Black Duck Binary Analysis scans of 128,782 applications performed throughout 2016. These scans identified 16,868 unique versions of open source and commercial software components and found a total of almost 10,000 unique vulnerabilities.
“By analyzing large data sets and identifying trends and problem areas, we are able to provide our customers with valuable intelligence to help them keep their software secure and up to date,” said Andreas Kuehlmann, senior vice president and general manager for the Synopsys Software Integrity Group. “Over time all software starts to decay, leaving a previously secure software package open to exploits and vulnerabilities. The message to the software industry should not be whether to use open source software, but whether you are keeping it updated to prevent attacks.”
Other key findings:
In today’s Fault Injection podcast, focusing on software composition, Chris Clark, principal security engineer at Synopsys, said of the report, “We talk about the software development life cycle in some of our programs. As a developer, when I look at the code and I choose the libraries and I’ve developed my software, usually that gets chucked over the fence to another team. What we’re also implying here is that another team has to have the tools to be able to monitor this product that’s been released and is out in the market. Without that information, without that continuous monitoring, you are going to be reactionary. You are going to be event driven.”