A recent study by vulnerability management firm RiskSense revealed that the number of open source software (OSS) vulnerabilities increased in 2019 compared to 2018.
The study titled “The Dark Reality of Open Source” also stated that the total common vulnerabilities and exposures vulnerabilities (CVEs) reached 968 in 2019, up from 421 in 2018, a rise of 130%. It also found that it takes an average of 54 days for OSS vulnerabilities to be added to the National Vulnerability Database (NVD) after public disclosure, thereby leaving organizations exposed to critical application security risks for a long time.
Vulnerabilities in Open Source Projects
According to the study, the OSS projects that had the most number of CVEs were the Jenkins automation server (646) and MySQL (624), each of which had 15 weaponized vulnerabilities. While HashiCorp’s Vagrant only had nine CVEs. Other OSS projects that had vulnerabilities that were trending or popular in real-world attacks included Apache Tomcat, Magento, Kubernetes, Elasticsearch, and JBoss.
RiskSense also stated that cross-site scripting weaknesses are the second most common form of vulnerabilities and the most weaponized ones. In addition, the study revealed that some weaknesses like deserialization issues (28) and code injections (16) were far less common but remained popular in active attack campaigns.
Srinivas Mukkamala, CEO of RiskSense, said, “While open source code is often considered more secure than commercial software since it undergoes crowdsourced reviews to find problems, this study illustrates that OSS vulnerabilities are on the rise and may be a blindspot for many organizations. Since open source is used and reused everywhere today, when vulnerabilities are found, they can have incredibly far-reaching consequences.”
70% Of Mobile and Desktop Apps Contain Open Source Security Flaws
According to Veracode’s annual report, 70% of mobile and desktop applications that are being used today have at least one security flaw which stems from the use of open-source library. The report, “State of Software Security,” revealed that lack of awareness about where and how open-source libraries are being used are major factors in contributing toward security issues. Open-source library is free to use centralized code repositories that provide ready-made applications for developers. These libraries are not only ubiquitous but also risky, the research stressed. The research examined 351,000 external libraries in 85,000 applications and found that these libraries have several security bugs. Even a single bug can affect hundreds of applications.