News Feed Item

Synopsys Research Highlights the Pervasive Use of Outdated and Insecure Third-Party Software Components

Analysis of More Than 120,000 Applications Found that Half of Third-Party Software Components in Use Are Outdated

MOUNTAIN VIEW, California, June 6, 2017 /PRNewswire/ -- Synopsys, Inc. (Nasdaq: SNPS) today released its report, "The State of Software Composition 2017," which analyzed real-world data to investigate the security of the software supply chain ­ one of the most significant challenges the software industry faces today. The report summarizes the analysis of 128,782 software applications, which identified 16,868 unique versions of open source and commercial software components containing almost 10,000 unique security vulnerabilities.

Synopsys used its software composition analysis product, Protecode SC, to analyze applications scanned from January 1, 2016 through December 31, 2016. Of the 3rd party software components identified through the analysis of these applications, nearly 50 percent of these components were more than four years old, and in almost every case a newer, more secure version of the software component is available.

"By analyzing large data sets and identifying trends and problem areas, we are able to provide the software development community with valuable intelligence to help them keep their software secure and up to date," said Andreas Kuehlmann, senior vice president and general manager for the Synopsys Software Integrity Group. "Over time, vulnerabilities in third-party components are discovered and disclosed, leaving a previously secure software package open to exploits. The message to the software industry should not be whether to use open source software, but whether you are vigilant about keeping it updated to prevent attacks."  

The research, upon which the report is based, represents a cross section of software including mobile, desktop and web applications, as well as firmware and embedded software from a variety of industries. The report includes information on the most commonly observed 3rd party software components, the Common Vulnerabilities and Exposures (CVE) known to affect these components, the 10-point Common Vulnerability Scoring System (CVSS) rank for CVE and the Common Software Weaknesses (CWE) used to classify them.

Other key findings include:

  • 45 percent of the total 9,553-specific CVEs date back to 2013 or earlier
  • The Heartbleed bug still appears in the top 50 percent of all CVEs observed, even though a patch has been available since 2014
  • The oldest CVE dates back to 1999
  • The top 10 most common software components with outdated versions still being used more than 90 percent of the time include: Curl, Dropbear, Expat, libjpeg-turbo, libjpeg, libpng Linux Kernal, Lua, OpenSSL, and Pcre; if they are not updated, these software components may leave products vulnerable

"Coming on the heels of last month's WannaCry outbreak, the insights in the report serve as a wakeup call that not everyone is using the most secure version of available software," said Robert Vamosi, security strategist at Synopsys. "The update process does not end at the time of software release, and an ongoing pattern of software updates must be implemented throughout the product lifecycle. As new CVEs are disclosed against open source software components, developers need to know whether their products are affected, and organizations need to prevent the exploit of vulnerabilities with the latest versions when they become available."

Download the full report here.

About the Synopsys Software Integrity Platform

Through its Software Integrity Platform, Synopsys provides advanced solutions and services for improving software security and quality. This comprehensive platform of automated analysis and testing technologies integrates seamlessly into the software development process and enables organizations to detect and remediate quality defects, security vulnerabilities and compliance issues early in the software development lifecycle, as well as to gain security assurance and visibility into their software supply chain. Learn more at www.synopsys.com/software-integrity.

About Synopsys

Synopsys, Inc. (Nasdaq: SNPS) is the Silicon to Software partner for innovative companies developing the electronic products and software applications we rely on every day. As the world's 15th largest software company, Synopsys has a long history of being a global leader in electronic design automation (EDA) and semiconductor IP and is also growing its leadership in software security and quality solutions. Whether you're a system-on-chip (SoC) designer creating advanced semiconductors, or a software developer writing applications that require the highest security and quality, Synopsys has the solutions needed to deliver innovative, high-quality, secure products. Learn more at www.synopsys.com.

Editorial Contacts:
Simone Souza
Synopsys, Inc.
[email protected]

More Stories By PR Newswire

Copyright © 2007 PR Newswire. All rights reserved. Republication or redistribution of PRNewswire content is expressly prohibited without the prior written consent of PRNewswire. PRNewswire shall not be liable for any errors or delays in the content, or for any actions taken in reliance thereon.

Latest Stories
"There's plenty of bandwidth out there but it's never in the right place. So what Cedexis does is uses data to work out the best pathways to get data from the origin to the person who wants to get it," explained Simon Jones, Evangelist and Head of Marketing at Cedexis, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
Digital Transformation and Disruption, Amazon Style - What You Can Learn. Chris Kocher is a co-founder of Grey Heron, a management and strategic marketing consulting firm. He has 25+ years in both strategic and hands-on operating experience helping executives and investors build revenues and shareholder value. He has consulted with over 130 companies on innovating with new business models, product strategies and monetization. Chris has held management positions at HP and Symantec in addition to ...
Enterprises have taken advantage of IoT to achieve important revenue and cost advantages. What is less apparent is how incumbent enterprises operating at scale have, following success with IoT, built analytic, operations management and software development capabilities - ranging from autonomous vehicles to manageable robotics installations. They have embraced these capabilities as if they were Silicon Valley startups.
In their session at @ThingsExpo, Shyam Varan Nath, Principal Architect at GE, and Ibrahim Gokcen, who leads GE's advanced IoT analytics, focused on the Internet of Things / Industrial Internet and how to make it operational for business end-users. Learn about the challenges posed by machine and sensor data and how to marry it with enterprise data. They also discussed the tips and tricks to provide the Industrial Internet as an end-user consumable service using Big Data Analytics and Industrial C...
René Bostic is the Technical VP of the IBM Cloud Unit in North America. Enjoying her career with IBM during the modern millennial technological era, she is an expert in cloud computing, DevOps and emerging cloud technologies such as Blockchain. Her strengths and core competencies include a proven record of accomplishments in consensus building at all levels to assess, plan, and implement enterprise and cloud computing solutions. René is a member of the Society of Women Engineers (SWE) and a m...
When talking IoT we often focus on the devices, the sensors, the hardware itself. The new smart appliances, the new smart or self-driving cars (which are amalgamations of many ‘things'). When we are looking at the world of IoT, we should take a step back, look at the big picture. What value are these devices providing. IoT is not about the devices, its about the data consumed and generated. The devices are tools, mechanisms, conduits. This paper discusses the considerations when dealing with the...
DXWordEXPO New York 2018, colocated with CloudEXPO New York 2018 will be held November 11-13, 2018, in New York City. Digital Transformation (DX) is a major focus with the introduction of DXWorldEXPO within the program. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term.
To Really Work for Enterprises, MultiCloud Adoption Requires Far Better and Inclusive Cloud Monitoring and Cost Management … But How? Overwhelmingly, even as enterprises have adopted cloud computing and are expanding to multi-cloud computing, IT leaders remain concerned about how to monitor, manage and control costs across hybrid and multi-cloud deployments. It’s clear that traditional IT monitoring and management approaches, designed after all for on-premises data centers, are falling short in ...
With privacy often voiced as the primary concern when using cloud based services, SyncriBox was designed to ensure that the software remains completely under the customer's control. Having both the source and destination files remain under the user?s control, there are no privacy or security issues. Since files are synchronized using Syncrify Server, no third party ever sees these files.
Mobile device usage has increased exponentially during the past several years, as consumers rely on handhelds for everything from news and weather to banking and purchases. What can we expect in the next few years? The way in which we interact with our devices will fundamentally change, as businesses leverage Artificial Intelligence. We already see this taking shape as businesses leverage AI for cost savings and customer responsiveness. This trend will continue, as AI is used for more sophistica...
"We are an integrator of carrier ethernet and bandwidth to get people to connect to the cloud, to the SaaS providers, and the IaaS providers all on ethernet," explained Paul Mako, CEO & CTO of Massive Networks, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
I believe that this may finally be the year that the CIO role ‘crosses the Rubicon,' leaving behind its traditional, IT-focused orientation. But I don't believe that either of the previous predictions of this outcome — fading into oblivion or rising to a business executive level — is correct. Instead, I think this is the year that we will see the role of the CIO transformed into something altogether different.
Cloud-enabled transformation has evolved from cost saving measure to business innovation strategy -- one that combines the cloud with cognitive capabilities to drive market disruption. Learn how you can achieve the insight and agility you need to gain a competitive advantage. Industry-acclaimed CTO and cloud expert, Shankar Kalyana presents. Only the most exceptional IBMers are appointed with the rare distinction of IBM Fellow, the highest technical honor in the company. Shankar has also receive...
"Calligo is a cloud service provider with data privacy at the heart of what we do. We are a typical Infrastructure as a Service cloud provider but it's been designed around data privacy," explained Julian Box, CEO and co-founder of Calligo, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
"NetApp is known as a data management leader but we do a lot more than just data management on-prem with the data centers of our customers. We're also big in the hybrid cloud," explained Wes Talbert, Principal Architect at NetApp, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.