Highlighting the critical need for improved maintenance practices among users of open source software, the new 2024 “Open Source Security and Risk Analysis” (OSSRA) report catalogs security concerns caused by the significant lag many organizations have in keeping the open source components they use up-to-date. The report reveals a bleak landscape where most commercial codebases contain outdated components, with 91% containing components that were 10 versions or more behind the most currently available version. Additionally, 49% of the codebases contained components with no development activity within the past 24 months.
Zombie code generally refers to portions of code that are no longer used or necessary for an application's functionality but that remains within the codebase. There are many different flavors of zombie code, just like in zombie movies (think fast versus slow zombies, or “The Last of Us” fungi zombies versus traditional “Night of the Living Dead” braaains! zombies). Like the fictional undead, zombie code can appear when least expected, causing unforeseen complications. When it comes to open source consumption, zombie code’s most significant danger is outdated code that has become vulnerable to exploitation.
Whether your organization develops or uses software, there’s a near certainty that your software includes open source. According to the 2024 OSSRA findings, 96% of audited code contained open source. In some industries (including aerospace to telecommunications), 100% of the codebases contained open source. And in many sectors, significant percentages of the risk-assessed codebases contained high-risk vulnerabilities—including 87% in manufacturing and 50% in the Internet of Things sector.
By not updating an open source component, consumers expose their applications to potential attacks that could exploit these vulnerabilities, leading to data breaches and other security issues.
With 91% of the risk-assessed codebases found to be using open source far behind the current version, the OSSRA report makes it clear consumers need to do better in keeping their code up-to-date, especially when it comes to popular open source components. The consequences of using older, more vulnerable versions of open source can be grim. For example, #2 of the top 10 vulnerabilities reported in the 2024 OSSRA report is a cross-site scripting vulnerability that could be used to execute untrusted code. The issue was patched nearly four years ago with jQuery 3.5.0. But as the OSSRA data illustrates, a third of the codebases scanned for security risks were found to be using a jQuery version still open to exploit from that vulnerability.
Beyond security issues, out-of-date open source contributes to overall technical debt—bug and performance improvements missed, and compatibility issues that eventually need to be addressed. Over time, this technical debt can make applications more difficult and expensive to maintain, hindering their long-term viability and effectiveness. Zombie open source can potentially even have an impact on license compliance, as it may be difficult to obtain clarification or support regarding licensing terms for outdated or inactive components.
Based on the OSSRA report's findings, steps can be taken to improve open source maintenance practices and mitigate the risks associated with zombie code.
Remember, just like with fictional zombies, a single zombie open source component can compromise all your defenses and wreak havoc. Organizations that have open source in their software—which, as the 2024 OSSRA report shows, is literally all organizations—should proactively manage open source maintenance risk as a part of their secure software practices. Banishing outdated open source software needs to be a top priority for every open source consumer. The first step is examining your maintenance practices to see if they need improvement—before the zombies arrive.
Read the report to learn about the current state of open source security and risk.