Synopsys report finds old, vulnerable software components still in use
50% of the vulnerabilities we found were more than four years old. In almost every case, newer versions of these vulnerable software components were available.
In a new report, Synopsys finds that 50% of the vulnerabilities found in software today are more than four years old. In almost every case, a newer, more secure version of the vulnerable software component is available.
The State of Software Composition 2017 is based on Black Duck Binary Analysis scans of 128,782 applications performed throughout 2016. These scans identified 16,868 unique versions of open source and commercial software components and found a total of almost 10,000 unique vulnerabilities.
“By analyzing large data sets and identifying trends and problem areas, we are able to provide our customers with valuable intelligence to help them keep their software secure and up to date,” said Andreas Kuehlmann, senior vice president and general manager for the Synopsys Software Integrity Group. “Over time all software starts to decay, leaving a previously secure software package open to exploits and vulnerabilities. The message to the software industry should not be whether to use open source software, but whether you are keeping it updated to prevent attacks.”
Other key findings:
- 45% of the 9,553 specific CVEs identified date to 2013 or earlier.
- Heartbleed still appears in the top 50% of all CVEs observed, even though a patch has been available since 2014.
- The oldest CVE dates to 1999.
- The top 10 most common software components with outdated versions (still in use more than 90% of the time) are Curl, Dropbear, Expat, libjpeg-turbo, libjpeg, libpng, Linux Kernel, Lua, OpenSSL, and PCRE. If users do not update these software components, they remain vulnerable.
Chris Clark, principal security engineer at Synopsys, said of the report, “We talk about the software development life cycle in some of our programs. As a developer, when I look at the code and I choose the libraries and I’ve developed my software, usually that gets chucked over the fence to another team. What we’re also implying here is that another team has to have the tools to be able to monitor this product that’s been released and is out in the market. Without that information, without that continuous monitoring, you are going to be reactionary. You are going to be event driven.”
