Key Takeaways

  • The Remediation Gap: While 96% of enterprise apps run on open source, the real risk isn’t the software itself, it’s the unmanaged components. 44% of vulnerabilities remain unpatched after a year, creating a massive tech debt wall.
  • The Zombie Risk: 93% of codebases contain zombie open source projects (unupdated for 2+ years). These projects are unlikely to be scanned or patched by original maintainers, leaving a permanent hole in security.
  • Scanning Doesn’t Equal Solving: New tools like Claude Code Security (CCS) are excellent “Researchers” for finding vulnerabilities, but they don’t solve the core burden of actually building, verifying, and implementing the fix.
  • Shift Right to Shift Left: To reduce developer burnout, organizations must move beyond just discovery. They need a Factory approach that delivers pre-verified, securely built-from-source components.
  • The 90/10 Rule: Use AI-driven scanners to find Zero-Day flaws in your 10% proprietary logic, but rely on a managed service like ActiveState to secure the 90%+ of the codebase you didn’t write.

The Hidden Cost of Unmanaged Open Source

Open source software is ubiquitous, powering 96% of all enterprise applications. While open source software itself is not less secure, unmanaged open source is now the dominant source of exploitable vulnerabilities, legal exposure, and software supply chain compromise. Companies are struggling to keep up: after one year, 44% of vulnerabilities remain unpatched, and 90% of application codebases contain components that are more than ten versions out of date (BlackDuck OSSRA Report).

The result is that organizations are drowning in Common Vulnerabilities and Exposures (CVEs). These unaddressed CVEs create significant pathways for attackers to infiltrate products, backends, or codebases. The risks also include malicious maintainers injecting code, questions about the trustworthiness of software sources, and the safety of precompiled community components.

For organizations with compliance mandates, rigorous CVE management is essential to pass audits and, for some, to maintain a near-zero CVE environment. We consistently hear that managing these CVEs is overwhelming. This burden often leads to developer/DevOps burnout, gets ignored and creates a massive wall of tech debt, or results in serious compliance failures.

The Limits of Scanning in an AI-Driven World

To address this, developers have been given an increasing number of tools to scan open source for CVEs. While some of the most critical open source software is already scanned through initiatives like the GitHub Secure Open Source Fund using Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST), most of the ecosystem is unprotected. BlackDuck estimates that less than 19% of open source repositories use any form of SAST. They also highlight the “zombie problem”: OSS projects not updated in two years, yet present in 93% of all codebases, which are unlikely to ever be scanned. Furthermore, the rise of AI is accelerating the discovery of vulnerabilities, subsequently increasing the volume of CVEs and the frequency of open source updates.

Claude Code Security: A New Tool for an Old Problem

Claude Code Security (CCS) is the newest entrant in this space. While articles suggest CCS may have a novel approach to finding vulnerabilities, we do not foresee organizations quickly abandoning their established, production-ready enterprise scanners or AI vendors. Why? Because CCS fails to solve the fundamental problem that has plagued enterprise software teams since scanners were invented: finding vulnerabilities is one thing; actually remediating them is another.

CCS does not change the core management challenge for organizations. They still need components that are securely built, trusted, and compliant. Organizations need a solution that eases the CVE burden that consumes valuable developer time. They need to shift right to shift left—implementing solutions that integrate, build, and deliver updated components, dependencies, and shared libraries to drastically reduce CVEs, regardless of the technology used to discover or fix them.

Simply adding one more scanner, no matter how unique, will not fundamentally alter the ecosystem. Scanners, including CCS, find the CVEs; maintainers create the fix. At ActiveState, we take on the work of rebuilding and managing this entire process for you.

The ActiveState Approach: Shifting from Discovery to Delivery

Think of it this way: Claude Code Security (CCS) is the Researcher that scans the codebase for CVEs and reports them to the open source project. If accepted, the maintainer updates the code. ActiveState is the Factory and Custodian: we run the code through our security scan, compile it securely from source, and provide it in a readily consumable format (e.g., a secure container, curated catalog, or managed distribution) that fits seamlessly into your existing developer workflows.

You should use Claude Code Security to find the ‘Zero-Day’ vulnerabilities within your proprietary business logic. Rely on ActiveState to ensure that the 90%+ of your codebase you didn’t write is built securely and consistently kept up-to-date. We are the filter. Instead of your developer or DevSecOps team facing 500 new AI-discovered CVEs, we provide a curated catalog of known-good component versions where the fixes have already been integrated and verified.

We deliver secure, built-from-source components in a SLSA 3 environment with industry-leading Service Level Agreements (SLAs). Our continuously updated curated catalogs feature the top 1,000+ components in our supported languages. This service ensures your organization maintains compliance, significantly improves its security posture, and accelerates development velocity.

Contact us to discuss how we can help your organization better manage its open source software.

FAQs

Open source isn't inherently insecure, but when it is unmanaged, it becomes a liability. Organizations struggle to keep up with patches, leaving 44% of vulnerabilities unaddressed after a year. Furthermore, 90% of codebases contain components that are more than ten versions out of date, creating massive legal and security exposures.

The "zombie problem" refers to open source projects that haven't been updated in over two years but are still present in 93% of codebases. These projects are unlikely to be scanned or patched by maintainers, leaving them permanently vulnerable even as new discovery tools like AI find more CVEs.

In this ecosystem, CCS acts as a "Researcher"—it scans code to find vulnerabilities. ActiveState acts as the "Factory and Custodian." While CCS finds the problems, ActiveState actually does the work of rebuilding, compiling from source in a secure SLSA 3 environment, and providing curated, verified components that are ready to use.

Adding more scanners only increases the volume of alerts (the CVE burden) without providing the fix. Scanners find the issues, but humans still have to fix them. This leads to developer burnout and tech debt. You need a solution that integrates and delivers updated components rather than just one that reports more problems.

Instead of a DevSecOps team manually triaging hundreds of new AI-discovered CVEs, ActiveState acts as a filter. It provides a curated catalog of known-good component versions where fixes are already integrated and verified. This allows developers to focus on proprietary logic while ensuring the 90%+ of the codebase they didn't write stays secure and compliant.