The number of vulnerabilities found in popular open source projects have more than doubled between 2018 and 2019, according to a recent report by vulnerability management firm RiskSense, raising concerns of the record being broken once again in 2020. As a result of the risks, security vulnerabilities need to be addressed if the open source software (OSS) industry is to flourish going forward, argued RiskSense’s researchers.
The new report, entitled “The Dark Reality of Open Source”, laid out the risks increasingly plaguing open source software (OSS). It found that the total number of common vulnerabilities and exposures vulnerabilities (CVEs) shot up to 968 in 2019—a considerable leap from the 421 CVEs that were recorded in 2018 and marking a rise of 130% in the span of only a single year.
In addition, the average time it takes for security vulnerabilities in open source projects to be updated on the National Vulnerability Database (NVD) after their public disclosure is as much as 54 days, according to the researchers, leaving security vulnerabilities exposed for an inordinate amount of time.
“While open source code is often considered more secure than commercial software since it undergoes crowdsourced reviews to find problems, this study illustrates that OSS vulnerabilities are on the rise and may be a blindspot for many organizations,” explained RiskSense chief executive Srinivas Mukkamala. “Since open source is used and reused everywhere today, when vulnerabilities are found, they can have incredibly far-reaching consequences.”
Key takeaways on the exploitation of security vulnerabilities
Among the most noteworthy findings of the study, which relied on data from 2,694 vulnerabilities in 54 open source projects, included the 130% rise in the number of recorded CVEs in 2019. “This increase does not appear to be a flash in the pan as the discovery of new CVEs also remains at historically high levels through the first three months of 2020,” the researchers warned, adding that it is therefore becoming more important to manage one’s attack surface.
The researchers also noted widespread problems in NVD disclosure latency, meaning that for security vulnerabilities to be added to the National Vulnerability Database, the process can take a very long time.
While the researchers noted the average time as being 54 days, the longest observed lag was as long as 1,817 days—nearly five years. “This latency creates a dangerous lack of visibility for organizations who rely on the NVD as their main source of CVE data and context information,” the researchers cautioned.
In addition to these findings, the report also revealed that the Jenkins automation server and the MySQL database management system seem to generate the most security vulnerabilities affecting open source projects, with the two systems falling victim to 646 and 624 CVEs respectively. Both of the systems also suffered the highest number of weaponized vulnerabilities, with each seeing precisely 15.
The report also found access control and input validation issues to be the most weaponized types of security vulnerabilities surveyed. Both of these vulnerabilities can enable remote code execution by an attacker, the researchers warned, with the data indicating that they are a popular target for active attack campaigns.
Open source projects get riskier
The results of the report clearly indicate that the upward trajectory of CVEs affecting open source projects is likely to continue. This is according to Jayant Shukla, the CTO and co-founder at K2 Cyber Security. According to him, RiskSense’s findings mirror what can be witnessed in the Vulnerability Notes Database, where a record number of security vulnerabilities also occurred in 2019, with 2020 looking set to break this record.
“The continued use of open source code is one of the main reasons that web applications remain so vulnerable to exploits,” explained Shukla. “We also see the use of third party code, and the reuse of existing code in order to bring web applications to production as quickly as possible, as key contributors to the increase in vulnerabilities.”
Aside from its implications for open source projects and for the OSS industry more broadly, Shukla believes that the report serves to underscore the importance of solid security and privacy controls in mitigating the risks associated with CVEs. “This report is another reminder, along with the recent addition of RASP (Runtime Application Self-Protection) to the NIST SP800-53 framework, that application security is more important than ever,” he said.
Agreeing that security and privacy measures should be prioritized by organizations, the authors of the report add an emphasis on vulnerability management, especially in the context of open source projects. “[The risk] makes it all the more important to incorporate real-world vulnerability context into a risk-based approach to vulnerability management for open source software,” concluded the researchers.