WhiteSource: New approach needed to deal with open source vulnerabilities
Software developers generally spend an inordinate amount of time trying to address open source vulnerabilities, largely because there are no standard practices and developer-focused tools to assist them.
That's according to the recently published WhiteSource State of Open Source Vulnerability Management Report, which is based on a survey of 650 developers from the US and Europe who use open source components regularly as a matter of policy.
The report also includes data from various data sources such as the United States government repository of standards-based vulnerability management data, the National Vulnerability Database (NVD); as well as security advisors, peer-reviewed vulnerability databases, and popular open source issue trackers.
According to Rami Sass, CEO and co-founder of WhiteSource, while the open source community is doing a good job at identifying vulnerabilities in open source projects, users are unable to fully benefit from their efforts because information about vulnerabilities is not published in one centralised location. Instead, it is scattered across hundreds of resources which are often badly indexed and therefore difficult to search.
XHead = Time wasted
The survey found that on average, developers spend about 15 hours every month addressing open source vulnerabilities - but a sizeable number (over 40%), spend between 20 and 60 hours per month involved in reviewing, discussing, addressing and remediating vulnerabilities. These efforts come at a huge cost in terms of time wasted - and the cost is even higher when one considers that it is the more experienced developers who are usually the ones tasked with remediating open source vulnerabilities.
When asked what they do when a vulnerability is discovered, there were no clear answers - a reflection, Sass says, of the fact that there are no standard practices to deal with the issue.
At the same time, the report notes that there was a significant rise in the number of open source vulnerabilities in 2017, up by 51% to reach almost 3 500. This trend continued into 2018.
Not a weakness of open source
However, Sass maintains that this does not indicate a weakness in open source. Rather, he believes, it's an indication of the benefits of open source: because of the software development community's focus on open source security, there is 'an army' of researchers analysing open source projects for vulnerabilities, as well as a quick turnaround for the development of fixes.
In fact, the WhiteSource report notes that 97% of all reported vulnerabilities have at least one suggested fix in the open source community, with security updates usually published within days of the publication of a vulnerability.
Nevertheless, the report notes that the majority of disclosed open source vulnerabilities are found in a limited number of projects - the most popular ones. Sass believes that rather than this being an indication of poor security standards, it can be attributed to the fact that there are far more 'eyeballs' on the more popular projects, making the detection and reporting of vulnerabilities more likely.
Nevertheless, the fact remains that nearly one third of the top 100 open source projects have at least one reported vulnerability, and vulnerable open source projects are likely to contain an average of eight.
XHead = 10 most vulnerable
According to the WhiteSource report, the top 10 most vulnerable open source projects, based on the number of vulnerabilities are:
- Mozilla Firefox (1470)
- Linux (1249)
- Chromium (602)
- Wireshark (549)
- Oracle Java SE (531)
- PHP (486); Moodle (451)
- ImageMagick (415)
- FFmpeg (281)
- WordPress (245).
According to Sass, while the open source community is doing a good job at securing open source projects, users are unable to fully benefit from their efforts because information about vulnerabilities is not published in one centralised location. Instead, it is scattered across hundreds of resources which are often badly indexed and therefore difficult to search.
"Although the high number of open source vulnerabilities, including the most popular projects, might seem overwhelming, learning the way that the community manages open source security is a step in the right direction," he says.
"The next step is accepting that open source security management comes with a different set of rules, tools and practices than securing commercial or proprietary components. Sticking with the same vulnerability management programs and tools won't help with open source security management.
"Adopting an open source security policy that addresses these differences and incorporating the right technologies to automate their management will help security and development teams face the unique challenges of open source vulnerabilities head-on, allowing them to get back to the business of building great software," Sass concludes.