Synopsys Report: Building a Comprehensive Software Bill of Materials is the Best Defense for Software Supply Chain Security

Synopsys Report: Building a Comprehensive Software Bill of Materials is the Best Defense for Software Supply Chain Security

Open source adoption has increased significantly, and high-risk vulnerabilities are increasing at an alarming rate

Frequent attacks on software supply chains have sounded the alarm to the industry. Log4Shell and Spring4Shell are security vulnerabilities that have had widespread impact in the past two years. Criminals can exploit such vulnerabilities to attack software upstream of the supply chain, causing a large number of software used downstream to be affected. So, how to deal with it? The first step in protecting your software supply chain is managing open source and third-party code in your applications. Avoiding business risks from open source, proprietary and commercial software starts with taking a comprehensive inventory of all software used by the enterprise, regardless of where it comes from or how it was obtained. Armed with this complete checklist, security teams can chart a path forward and develop plans to address the risks posed by newly disclosed security vulnerabilities such as Log4Shell.

Synopsys (Nasdaq: SNPS) recently released the "2023 Open Source Security and Risk Analysis" report (2023 OSSRA). The report, the eighth version of OSSRA, was produced by Synopsys' Cybersecurity Research Center (CyRC) and analyzes audit results of more than 1,700 M&A transactions involving commercial and proprietary code bases. The report reveals open source usage trends across 17 industries.

The 2023 OSSRA report delves into the current state of open source security, compliance, licensing, and code quality risks in commercial software to help security, legal, risk, and development teams better grasp the open source security and licensing risk landscape. This year's survey results show that the vast majority of code bases (84%) contain at least one known open source vulnerability, an increase of nearly 4% from the 2022 survey results.

Organizations that want to reduce business risk from open source, proprietary and commercial code start by building a comprehensive inventory of all software they use - a software bill of materials (SBOM), regardless of where it comes from or how it is obtained. Only with a complete inventory can enterprises develop strategies to deal with the risks posed by new security vulnerabilities such as Log4Shell.

“The 2023 OSSRA report highlights that open source is the foundation on which the vast majority of software today is built,” said Jason Schmitt, general manager of Software Quality and Security at Synopsys . “The average number of open source components increased by 13% in this year’s audit (from 528 to 595). This data further highlights the importance of implementing a comprehensive SBOM that lists all open source components in an application and their license, version, and patch status to understand and mitigate software supply chain attacks. Basic Strategies for Business Risk.”

Key findings of the 2023 OSSRA report include:

According to data reported by OSSRA in the past five years, the adoption rate of open source has increased significantly: In recent years, teaching has shifted more to online, and online interactions between teachers and students have increased, which has promoted the application of educational software, and the adoption of open source components has also increased significantly. A 163% increase; other industries include aerospace, automotive, transportation and logistics, where open source adoption surged 97%; and manufacturing and robotics, where open source adoption increased 74%.

In the past five years, high-risk vulnerabilities have increased at an alarming rate: Since 2019, high-risk vulnerabilities in the retail and e-commerce industries have surged by 557%; in the Internet of Things (IoT) field, 89% of audited code is open source, and at the same time, high-risk vulnerabilities have increased by 557%. Risk vulnerabilities increased by 130%; similarly, high-risk vulnerabilities in the aerospace, automotive, transportation and logistics verticals increased by 232%.

Using unlicensed open source components puts companies at greater risk of violating copyright laws than companies using licensed components: The report found that 31% of code bases use open source without an identifiable license or with a custom license code. This is a 55% increase from last year’s OSSRA report; the lack of licenses associated with open source code or other open source licenses can place unanticipated requirements on licensees, often requiring legal action for potential intellectual property issues or other impacts Evaluate.

Available code quality and security patches are not yet universally applied to code bases: Of the 1,480 code bases audited with risk assessments, 91% contained outdated open source components. Unless organizations can consistently use an up-to-date and accurate SBOM, outdated components may be forgotten until they become vulnerable to high-risk attacks.

"The key to managing open source risk is maintaining complete visibility of application content," said Mike McGuire, senior manager, security solutions, Software Quality and Security, Synopsys . "Building risk management into the application lifecycle based on visibility. Enterprises can leverage the necessary Arm yourself with the information you need to take informed, timely risk resolution. Enterprises should rightly assume when adopting any type of third-party software that it contains open source, and verifying this and controlling the associated risks is as simple as obtaining an SBOM. —Suppliers can easily provide and take the necessary steps to secure their software supply chain.”