Maintenance matters in mitigating zombie code risk

Zombie code generally refers to portions of code that are no longer used or necessary for an application's functionality but that remains within the codebase. There are many different flavors of zombie code, just like in zombie movies (think fast versus slow zombies, or “The Last of Us” fungi zombies versus traditional “Night of the Living Dead” braaains! zombies). Like the fictional undead, zombie code can appear when least expected, causing unforeseen complications. When it comes to open source consumption, zombie code’s most significant danger is outdated code that has become vulnerable to exploitation.

Whether your organization develops or uses software, there’s a near certainty that your software includes open source. According to the 2024 OSSRA findings, 96% of audited code contained open source. In some industries (including aerospace to telecommunications), 100% of the codebases contained open source. And in many sectors, significant percentages of the risk-assessed codebases contained high-risk vulnerabilities—including 87% in manufacturing and 50% in the Internet of Things sector.

By not updating an open source component, consumers expose their applications to potential attacks that could exploit these vulnerabilities, leading to data breaches and other security issues.

With 91% of the risk-assessed codebases found to be using open source far behind the current version, the OSSRA report makes it clear consumers need to do better in keeping their code up-to-date, especially when it comes to popular open source components. The consequences of using older, more vulnerable versions of open source can be grim. For example, #2 of the top 10 vulnerabilities reported in the 2024 OSSRA report is a cross-site scripting vulnerability that could be used to execute untrusted code. The issue was patched nearly four years ago with jQuery 3.5.0. But as the OSSRA data illustrates, a third of the codebases scanned for security risks were found to be using a jQuery version still open to exploit from that vulnerability.

Beyond security issues, out-of-date open source contributes to overall technical debt—bug and performance improvements missed, and compatibility issues that eventually need to be addressed. Over time, this technical debt can make applications more difficult and expensive to maintain, hindering their long-term viability and effectiveness. Zombie open source can potentially even have an impact on license compliance, as it may be difficult to obtain clarification or support regarding licensing terms for outdated or inactive components.