4 million open source security flaws identified

By Marilyn de Villiers
Johannesburg, 29 Mar 2018

Within a month of launching a scan for known vulnerabilities in JavaScript and Ruby libraries, the GitHub code repository site identified an incredible 4 million security flaws in the half-a-million repositories on its platform.

Known vulnerabilities are bugs that are contained in standardised and shared lists which are documented and compiled by members of the security community at large. The most comprehensive of these is the Common Vulnerabilities and Exposures (CVEs)

According to GitHub, the scan was undertaken because of the recognition that as more developers draw from existing code libraries to build new tools, so tracking changes in dependencies like security vulnerabilities has become more difficult.

Now GitHub has launched a new service that alerts project owners as soon as it becomes aware of any newly announced vulnerabilities. The development platform believes that the alert should have a major impact on security, given that it now hosts nearly 70 million repositories, with projects that rely on dependent software packages or software libraries that frequently do not get updated when new flaws are disclosed.

However, after the initial scan, only 450 000 were resolved by repository owners either by removing the dependency or changing to a secure version. That still leaves over 3 million unfixed vulnerabilities. Since then, only around half of all alerts are responded to, with the remainder remaining unaddressed or unresolved.

GitHub's scan was not the first to highlight the weaknesses in open source code. Soon after the Equifax security breach, which saw millions of personal records of consumers in the US and UK placed at risk because of a vulnerability in Apache Struts, a popular Java library, the UK-based open source vulnerability database operator Snyk scanned 1 000 open source projects on GitHub and found that 64% were vulnerable to a severe remotely exploitable flaw - despite the fact that the Apache Foundation had provided patches months before.

A recent Snyk's survey also revealed that over 16% of developers don't update dependencies and less than 50% use tools to alert themselves to known vulnerabilities.

According to Derek Weeks, vice president at open source governance and DevSecOps automation company, Sonatype, this is set to change. Authorities around the world are starting to get tough on developers who fail to protect the public from data theft and misuse resulting from their less-than-stringent application of vulnerability fixes.

In Europe, regulators have taken significant strides to improve cyber security and data privacy practices, passing laws to hold organisations liable for poor cyber hygiene practices.

In May 2018, the EU's General Data Protection Regulation will take effect. This states that organisations must "implement appropriate technical and organisational measures" to "ensure the ongoing confidentiality, integrity, available, and resilience of processing systems and services." In addition, the regulation mandates that data protection measures must be implemented "by design and by default". Those who fail to follow these rules and experience a breach could be fined up to the greater of EUR20 million or 4% of global annual turnover.

In addition, the UK has released its National Cyber Security Strategy 2016-2021, which states that organisations are "ultimately liable for the security of the data and systems" and will be subjected to punitive fines for gross negligence.

There are also moves to introduce similar legislation in the United States.