Software Integrity Blog


Synopsys report finds old, vulnerable software components still in use

Synopsys report finds old, vulnerable software components still in use

In a new report, Synopsys identifies that 50% of the vulnerabilities found in software today are more than four years old. In almost every case, a newer, more secure version of the vulnerable software component is available.

The Synopsys report, The State of Software Composition 2017 uses the Synopsys Software Composition Analysis tool, Black Duck Binary Analysis, to analyze applications from January 1, 2016 through December 31, 2016. The research analyzes the composition of 128,782 software applications. It identifies 16,868 unique versions of open source and commercial software components. Findings contain a total of almost 10,000 unique vulnerabilities.

Download the report

“By analyzing large data sets and identifying trends and problem areas, we are able to provide our customers with valuable intelligence to help them keep their software secure and up to date,” said Andreas Kuehlmann, Senior Vice President and General Manager for the Synopsys Software Integrity Group. “Over time all software starts to decay, leaving a previously secure software package open to exploits and vulnerabilities. The message to the software industry should not be whether to use open source software, but whether you are keeping it updated to prevent attacks.”

Other key findings include:

  • 45% of the total 9,553 specific CVEs date back to 2013 or earlier.
  • Heartbleed still appears in the top 50% of all CVEs observed even though a patch has been available since 2014.
  • The oldest CVE dates back to 1999.
  • The top 10 most common software components with outdated versions (still in use more than 90% of the time) include: Curl, Dropbear, Expat, libjpeg-turbo, libjpeg, libpng Linux Kernal, Lua, OpenSSL, and Pcre. If they are not updated, these software components may leave users vulnerable.

Watch the webinar

In today’s Fault Injection podcast, focusing on software composition, Chris Clark, Principal Security Engineer at Synopsys, said of the report, “We talk about the software development lifecycle in some of our programs. As a developer, when I look at the code and I choose the libraries and I’ve developed my software, usually that gets chucked over the fence to another team. What we’re also implying here is that another team has to have the tools to be able to monitor this product that’s been released and is out in the market. Without that information, without that continuous monitoring, you are going to be reactionary. You are going to be event driven.”

Listen to the full podcast.

More by this author