The Growing Threat of Zombie Code 

Zombie codes are not killers, but they definitely act like slow poison, often significantly slowing down system response and reducing overall efficiencies within a business. A new report highlights the presence of components that were ten or more versions behind the most recent and the worrisome fact is that 91% of commercial codebases suffer from this malaise. 

Fred Bals, senior software security researcher with Synopsys Cybersecurity Research Center notes that the new “Open Source Security and Risk Analysis” report for 2024 catalogs security concerns caused by the significant lag from organizations in keeping their open source components up-to-date.  

This is one area that’s been ignored for long

The report reveals a bleak landscape, says Bals while pointing out that 49% of the codebases contained components with no development activity within the past 24 months. Readers would recall that Zombie code refers to portions of computer code that are no longer used or necessary for an application’s functionality but remain within the codebase. 

“Like the fictional undead, zombie code can appear when least expected, causing unforeseen complications. When it comes to open source consumption, zombie code’s most significant danger is outdated code that has become vulnerable to exploitation,” notes the author of the note related to the zombie code challenge. 

“Whether your organization develops or uses software, there’s a near certainty that your software includes open source,” says Bals while quoting from the research findings that indicate 100% of audited code contained open source in aerospace to telecom industries while in many sectors, significant percentages of the risk-assessed codebases contained high-risk vulnerabilities—including 87% in manufacturing and 50% in the Internet of Things sector.

Not updating codebases can queer the pitch 

By not updating an open source component, consumers expose their applications to potential attacks that could exploit these vulnerabilities, leading to data breaches and other security issues, he notes, adding that consumers need to do better in keeping their code up-to-date, especially in relation to the popular open source components. 

Beyond security issues, out-of-date open source contributes to overall technical debt—bug and performance improvements missed, and compatibility issues that eventually need to be addressed. Over time, this technical debt can make applications more difficult and expensive to maintain, hindering their long-term viability and effectiveness. 

Here’s what you can do to set up a maintenance process

The researcher offers three steps to improve open source maintenance processes that include implementing automated tools, establishing regular update cadences and creating and maintaining a software bill of materials. Here is how it works: 

The use of automated tools, such as software composition analysis, can help identify outdated components and vulnerabilities. Unlike manual processes, automated open source testing and management can be executed quickly and consistently, allowing developers to identify issues early in the development process without impacting delivery schedules or productivity.

Establishing regular cadences for updating open source components can prevent the accumulation of outdated and potentially vulnerable zombie code. Set a regular cadence for upgrades, especially if you’re using open source libraries from popular projects that have frequent maintainer activity.

An accurate, up-to-date SBOM that inventories open source components is critical as it lists all the open source components in your applications as well as those components’ licenses, versions, and patch status. In the ultimate analysis, Bals warns that “just like with fictional zombies, a single zombie open source component can compromise all your defenses and wreak havoc.