Developers
June 15, 2020

Open Source Threatened by Software Vulnerabilities

Open-source software finds itself threatened by many security vulnerabilities. Many big dev communities suffer the risks.
Source: Pixabay

Today we will talk about software security and open source development. Open-source, as we all know, helps developers and companies work worldwide with the ability to use code openly. This comes with many benefits and some risks. Today, we will focus on the risks based on the latest software security reports.

RiskSense, a software vulnerability company has made a report based on research they conducted. What they have found leaves software communities with the mouth open. Nobody can believe that 96% of all commercial codebases have security leaks. But that's the truth.

As security evolves, the software has to meet the new standards. There will always be security leaks because technology will always advance. There are always safe standards compared to the present moment.  But as it evolves, safety measures have to be developed to match new safety standards. 

The number of vulnerabilities doubled from 2018 (421 vulnerabilities found) to 2019 (968 vulnerabilities found). We can say that now in 2020, the number is not exact but is still rising. As more open-source projects have been posted and they fall into the same security risks.

The study shows that there is a big gap between a vulnerability happening in certain networks and a vulnerability being found by analysts. The next step after finding a vulnerability and making it public is to add it to the National Vulnerability Database. This usually takes 54 days. The delay between the finding and the posting makes companies and developers use unsafe software for almost two months. And that's not all, sometimes the NVD takes longer to add a vulnerability. The report shows that a critical PostgreSQL vulnerability affecting a whole community has taken 1,817 days to be added.

CEO of RiskSense states that "While open-source code is often considered more secure than commercial software since it undergoes crowdsourced reviews to find problems, this study illustrates that OSS vulnerabilities are on the rise and maybe a blind spot for many organizations".

Commercial software is usually seen as more dangerous than open-source software. And there are two reasons for this. The first one is that open-source software almost always counts with a community that can help the security be on point by reporting issues. The second is that most open-source software is safer because it counts with more risk analysis. The licensing itself is not a measure or reason for increased security.

The report went back to 2015 and started analyzing from there up to 2020. 5 years of pure data have been gathered and 54 open-source projects analyzed.

This shows that the vulnerability of open-source is not random, as the sample is wide. It's no coincidence that they all have the same risks. Based on this, we can know that there is a general software risk In open-source projects.

The most vulnerabilities

The most vulnerabilities take part in Jenkins and MySQL. Jenkins counts with 646 CVEs and MySQL with 624. These are not the only software that counts with vulnerabilities, despite they are the ones that count with most of them.

Cross-site scripting, Input Validation, and access control are the top software weaknesses presented in the study. They are all weaponized weaknesses. All of these weaknesses presented real-world attacks.

Other weaknesses were not so common that still prejudiced the security of the software. Deserialization, Code Injection, Error Handling, and Container Issues are some of the uncommon security leaks. Being less common means that there are fewer CVEs. By adding them all, we can see how they still add up to a number that is relevant and serious.

In conclusion,  the update of security standards and safety protocols for open-source projects is critical. As we have seen, there has been an increase in vulnerabilities of over 130% from 2018 to 2019. The numbers are still growing up to 2020. Many vulnerabilities are occurring in the biggest platforms such as GitHub. The projects are reported by community members or independent developers. But by the time they reach the National Vulnerabilities Database, they affect thousands if not millions of developers. The estimated time to add a CVE to the NVD is 54 days, despite there were reports of some cases taking as long as 1,817 days. Open-source security is threatened and will be improved as soon as possible.

TagsOpen-SourceSecurityVulnerabilities
Lucas Bonder
Technical Writer
Lucas is an Entrepreneur, Web Developer, and Article Writer about Technology.

Related Articles

Back
DevelopersJune 15, 2020
Open Source Threatened by Software Vulnerabilities
Open-source software finds itself threatened by many security vulnerabilities. Many big dev communities suffer the risks.

Today we will talk about software security and open source development. Open-source, as we all know, helps developers and companies work worldwide with the ability to use code openly. This comes with many benefits and some risks. Today, we will focus on the risks based on the latest software security reports.

RiskSense, a software vulnerability company has made a report based on research they conducted. What they have found leaves software communities with the mouth open. Nobody can believe that 96% of all commercial codebases have security leaks. But that's the truth.

As security evolves, the software has to meet the new standards. There will always be security leaks because technology will always advance. There are always safe standards compared to the present moment.  But as it evolves, safety measures have to be developed to match new safety standards. 

The number of vulnerabilities doubled from 2018 (421 vulnerabilities found) to 2019 (968 vulnerabilities found). We can say that now in 2020, the number is not exact but is still rising. As more open-source projects have been posted and they fall into the same security risks.

The study shows that there is a big gap between a vulnerability happening in certain networks and a vulnerability being found by analysts. The next step after finding a vulnerability and making it public is to add it to the National Vulnerability Database. This usually takes 54 days. The delay between the finding and the posting makes companies and developers use unsafe software for almost two months. And that's not all, sometimes the NVD takes longer to add a vulnerability. The report shows that a critical PostgreSQL vulnerability affecting a whole community has taken 1,817 days to be added.

CEO of RiskSense states that "While open-source code is often considered more secure than commercial software since it undergoes crowdsourced reviews to find problems, this study illustrates that OSS vulnerabilities are on the rise and maybe a blind spot for many organizations".

Commercial software is usually seen as more dangerous than open-source software. And there are two reasons for this. The first one is that open-source software almost always counts with a community that can help the security be on point by reporting issues. The second is that most open-source software is safer because it counts with more risk analysis. The licensing itself is not a measure or reason for increased security.

The report went back to 2015 and started analyzing from there up to 2020. 5 years of pure data have been gathered and 54 open-source projects analyzed.

This shows that the vulnerability of open-source is not random, as the sample is wide. It's no coincidence that they all have the same risks. Based on this, we can know that there is a general software risk In open-source projects.

The most vulnerabilities

The most vulnerabilities take part in Jenkins and MySQL. Jenkins counts with 646 CVEs and MySQL with 624. These are not the only software that counts with vulnerabilities, despite they are the ones that count with most of them.

Cross-site scripting, Input Validation, and access control are the top software weaknesses presented in the study. They are all weaponized weaknesses. All of these weaknesses presented real-world attacks.

Other weaknesses were not so common that still prejudiced the security of the software. Deserialization, Code Injection, Error Handling, and Container Issues are some of the uncommon security leaks. Being less common means that there are fewer CVEs. By adding them all, we can see how they still add up to a number that is relevant and serious.

In conclusion,  the update of security standards and safety protocols for open-source projects is critical. As we have seen, there has been an increase in vulnerabilities of over 130% from 2018 to 2019. The numbers are still growing up to 2020. Many vulnerabilities are occurring in the biggest platforms such as GitHub. The projects are reported by community members or independent developers. But by the time they reach the National Vulnerabilities Database, they affect thousands if not millions of developers. The estimated time to add a CVE to the NVD is 54 days, despite there were reports of some cases taking as long as 1,817 days. Open-source security is threatened and will be improved as soon as possible.

Open-Source
Security
Vulnerabilities
About the author
Lucas Bonder -Technical Writer
Lucas is an Entrepreneur, Web Developer, and Article Writer about Technology.

Related Articles