Good news, bad news in latest open source vulnerability report
There’s good news and bad news on the open source security front, according to the 2020 WhiteSource State of Open Source Security Vulnerabilities report.
Based on its own database which is aggregated from the National Vulnerabilities Database (NVD) in the US, dozens of security advisories, and popular open source issue trackers, WhiteSource determined that a record-breaking 6 000 open source vulnerabilities were published in 2019.
This is an increase of nearly 50% on 2018. However, the report indicates that this could actually be good news in that it’s an indication of the growing number of eyes that are focused on open source security research as open source usage continues to grow.
More good news is that over 85% of these open source vulnerabilities already have a fix available when they are disclosed. This fix, says the report, is usually an updated version or a patch for the vulnerable code.
The bad news, however, is that despite the fact that tech giants are investing heavily in better securing and managing open source projects, and the open source community as a whole is working hard at security research to publish new vulnerabilities, users are not always able to benefit from all these efforts.
The reason, according to the report, is that only 84% of known open source vulnerabilities eventually appear in the NVD. In fact, some 45% only end up being published in the NVD months after being reported in other resources – and many never make it to the NVD at all.
True state of vulnerabilities
Another good news/bad news scenario highlighted in the report relates to the way in which reported vulnerabilities are rated in order to enable development teams to quickly prioritise their security alerts.
The most widely used rating system – the CVSS (Common Vulnerability Scoring System) – has been updated over the years to try and achieve an objective standard for the different categories of vulnerabilities.
However, WhiteSource’s analysis of the scoring system over the past three years found that more and more vulnerabilities that might not have been scored highly in the past, were now being categorised as having “high” and “critical” severity requiring immediate attention. The result is that while 17% of vulnerabilities are rated “critical”, only 2% are deemed to be “low” – an outcome WhiteSource believes is not an accurate reflection of the true state of vulnerabilities.
One of the reasons for its scepticism, WhiteHouse says, is the fact that creating a CVE (Common Vulnerabilities and Exposures) is a time-consuming process. As a result, many developers may simply not bother with creating CVEs for lower-severity issues, thus skewing the ratings ratio.
Regardless of whether the severity ratio is accurate or not, WhiteSource questions the ability of development teams to prioritise vulnerabilities efficiently when over 55% are rated high-severity or critical.
Addressing the chaos
Looking ahead, WhiteSource predicts that the number of reported open source vulnerabilities will continue to rise through 2020.
The good news, however, is that the open source community is continuing to look for new initiatives to address what it terms “the chaos in the open source security process”.
One such initiative is the GitHub Security Lab which is designed to encourage open source project maintainers to properly report vulnerabilities rather than having a third party report the problem.
However, WhiteSource is concerned that with developers already struggling to keep up with the increased rate of open source vulnerabilities, tools like GitHub Security Lab could exacerbate the current situation of bad, slow or non-reporting of vulnerabilities.