maxkabakov - Fotolia
Failings in open source disclosure put users at risk
As more projects rely on open source components, IT departments need to keep on top of critical vulnerabilities to ensure they are secure
There has been a 50% rise in open source vulnerabilities, according to a study from platform provider WhiteSource.
According to the State of open source security vulnerabilities report, more than 55% of reported open source vulnerabilities in 2019 were classified as “high” or “critical” severity, which WhiteSource said affected IT teams’ ability to prioritise vulnerability remediation.
The study found that the number of disclosed open source software vulnerabilities in 2019 skyrocketed to exceed 6,000. The research, which uses the WhiteSource database, is based on reported vulnerabilities, combining vulnerability reports from the US National Vulnerabilities Database (NVD), security advisories, peer-reviewed vulnerability databases and open source issue trackers.
While 45% of reported open source vulnerabilities are not initially reported to the NVD, many end up being published in the database months after being reported in other resources, WhiteSource warned.
Its research found that only 29% of all open source vulnerabilities reported outside of the NVD are eventually published in it. Only 84% of known open source vulnerabilities appear in the NVD. Information about vulnerabilities is not published in one centralised location, rather scattered across hundreds of resources, and sometimes poorly indexed – often making searching for specific data a challenge. In the report, WhiteSource warned: “Users are not always able to benefit from the community’s efforts.”
Read more about open source in business
- The Open Source Insider blog on Computer Weekly asks industry experts for their views on the future of open source licensing.
- The CEO of the world’s largest independent open source company wants to make SUSE more innovative and help businesses modernise traditional IT.
One of the positive developments in security reporting, according to WhiteSource, is GitHub’s embedded disclosure process, which it said could encourage open source projects to properly report vulnerabilities, rather than just push a fix.
“Having the maintainers themselves report vulnerabilities should also lead to higher-quality metadata, like affected versions and fixed-in version, as opposed to if a third party reported the problem,” WhiteSource stated in the report.
Safest way to program
The study found that of the most popular programming languages used for open source projects, C had the highest number of vulnerabilities. WhiteSource reported the proportion of reported vulnerabilities in open source C projects rose from 30% in 2018 to 47% in 2019. Python was found to have the lowest proportion of vulnerabilities of the top seven languages used in open source development, with 6% of Python-based open source projects reporting code vulnerabilities.
WhiteSource
In the report, WhiteSource said: “C still has the highest percentage of vulnerabilities due to the high volume of code written in this language. However, the numbers are continuously trending down because other languages are also becoming popular.”
The study found that PHP’s relative number of vulnerabilities rose significantly from 15% in 2019 to 23% in 2019, even though there was no evidence to suggest it was gaining in popularity.
WhiteSource also reported that CWE-79 (Cross-Site Scripting), CWE-20 (Improper Input Validation) and CWE-200 (Information Exposure) were the top three Java, JS, PHP and Python vulnerabilities.
The study found that Cross-Site Request Forgery (CSRF) and SQL Injection were among the top 10 risks in 2019. “This might be due to an increase in the volume of open source web projects developed, and it might indicate that web vulnerabilities are on the rise and something we should be mindful of when coding,” said WhiteSource.
WhiteSource urged users of open source projects to be aware of the security risks and make sure to keep open source code dependencies up to date.
“Open source components have become an integral part of our software projects. The open source vulnerabilities landscape might seem complex and challenging at first, but there are ways to gain visibility and control over the open source components that make up products,” the company stated.