Open source breaches, vulnerabilities on the up
Open source security breaches and vulnerabilities are increasing rapidly, according to two independent surveys published this month.
The 2019 DevSecOps Community Survey conducted by automated open source governance company Sonatype, found there had been a 71% increase in open source breaches since 2014.
Nearly a quarter (24%) of the 5 558 IT professionals who participated in the 2019 survey reported having suspected or verified a breach that could be attributed to a vulnerability in an open source component or dependency in the last 12 months, compared to 14% in 2014.
The second report, The State of Open Source Security 2019, published by open source security company Snyk, stated there had been an 88% increase in open source application library vulnerabilities over the past two years, with 16 000 new vulnerabilities, an all-time high, disclosed in 2018.
However, that may not be the full story as Snyk warns there could be further growth in the 2018 numbers because some vulnerabilities may not yet have been disclosed.
While a vulnerability is not a breach, the existence of vulnerabilities opens the way for cyber criminals to launch their attacks.
"The more we use open source software, the more risk we accumulate as we're including someone else's code that could potentially contain vulnerabilities now or in the future," noted Liran Tal, author of the Snyk report.
Within Snyk's own database, the number of vulnerabilities has increased by 371% since 2014, with nmp vulnerabilities rising 954%, and Maven Central vulnerabilities by 346%.
The severity level of the vulnerabilities is also increasing, with many more being labelled as "high" and "critical" in 2018 compared to previous years.
Snyk also found the top 10 most popular docker images each contained at least 30 vulnerabilities, yet 54% of developers do not do any docker image security testing.
In fact, when it came to security testing, 37% of developers admitted to not implementing any sort of security testing during Continuous Integration, a development practice that requires developers to integrate code into a shared repository several times a day and which is supposed to include verification at each check-in to allow teams to detect problems early.
However, while developers know security is important, with 81% of the 500 open source maintainers and users who participated in the Snyk survey believing developers should own security, they nevertheless acknowledge developers are not well-equipped to deal with all aspects of security. Neither, it seems, are the 70% of open source maintainers who admitted to lacking the skills required to deal with today's complex security challenges.
Skills and know-how aside, participants in the Sonatype survey said one of the difficulties they had in managing software security was simply a lack of time.
And the fact that 78% of vulnerabilities reported are found in indirect dependencies, contributes to making remediation of vulnerabilities even more complex.
Nevertheless, users do appear to be responding quickly to the discovery of vulnerabilities and the release of fixes.
Although it can take over two years, on average, for a fix to be released for a vulnerability, the majority (84%) of respondents to the Snyk survey stated they were likely to respond with a fix in less than a week. More than half (56%) are likely to address it within a day, and 22% stated they would address a security issue within a few hours of the vulnerability being reported.