According to a recent study by Synopsys, outdated code components lurking in codebases, commonly referred to as “zombie code,” pose a significant risk by harboring unpatched vulnerabilities for extended periods.
In their Open Source Security and Risk Analysis study, Synopsys researchers highlight the growing concern of zombie code for codebase security. With much of this obsolete code still in use, there’s a heightened risk of unresolved vulnerabilities persisting long after they should have been addressed.
Most code bases contain zombie code
The study revealed that a staggering 91 percent of the examined codebases contained zombie code, defined as components that were at least 10 versions behind. Additionally, nearly half of the codebases contained code components that hadn’t been updated in over two years. On average, the age of open source vulnerabilities found in these codebases was 2.5 years, with a quarter of them dating back over a decade.
Notably, eight out of ten vulnerabilities identified in the codebases were attributed to a single vulnerability type: Improper Neutralization.
Security deteriorating in 2023
Furthermore, the researchers noted a concerning trend in codebase security, with 74 percent of codebases in 2023 found to have high-risk vulnerabilities, up from 48 percent in 2022. This deterioration is partially attributed to workforce reductions, particularly among developers who are crucial for resolving such code issues.
Poor open source licensing policies
Synopsys researchers also identified poor open source licensing practices as a contributing factor to zombie code vulnerabilities. Approximately 53 percent of the surveyed codebases encountered issues with open source licensing, with 31 percent lacking any license or utilizing a custom license.
Also read: 28,500 Microsoft Exchange servers vulnerable
2 days ago
