Study Finds Open Source Vulnerabilities Doubled in 2019Increasing Use of Open Source Software Creates More Opportunities for Flaws
The number of reported vulnerabilities found in open source software more than doubled in 2019 to almost 1,000, with projects such as Magento, GitLab, and Jenkins posting the largest increases year-over-year, according to a new research from security firm RiskSense.
The report, entitled " The Dark Reality of Open Source," states that in 2019 there were 968 CVEs assigned to vulnerabilities in open source software, up from 421 in 2018 - and 179 have been logged for the first three months of 2020. The reason for the increase, RiskSense believes, is that between 80% and 90% of all software currently in use has an open source component. And while more defects can be spotted because of this high level of use, it also means any vulnerability that has slipped through the cracks is widely shared, according to the report.
"While open source projects can rapidly go viral, so can their vulnerabilities," the report notes.
The report tracked the number of vulnerabilities reported from 2015 through the first quarter of 2020, but does not include Linus, Drupal or WordPress, which were analyzed separately in other reports.
Application Security is a Priority
Jayant Shukla, CTO and co-founder of security firm K2 Cyber Security, says the report is a reminder that application security is more important than ever and must remain a priority.
"The continued use of open source code is one of the main reasons that web applications remain so vulnerable to exploits. We also see the use of third party code, and the reuse of existing code in order to bring web applications to production as quickly as possible, as key contributors to the increase in vulnerabilities," Shukla tells Information Security Media Group.
Slow Reporting Process
Other key findings include the long period of time it takes for open source vulnerabilities to be included in the U.S. National Vulnerability Database (NVD); that Jenkins and MySQL generate the most vulnerabilities; and that cross-site scripting and input validation are the most weaponized weaknesses.
On average - over the four years the report covered - it took 54 days for a vulnerability to be added to the NVD with the longest observed being 1,817 days. In addition, 119 of the CVEs listed took more than a year to be posted with about a quarter needing a month to post.
"While we haven't done a latency analysis across the entire NVD, the vast majority of CVEs are added in the first few days of being published. The system is designed to be such that the NVD is in real-time sync with the CVE list published by MITRE, but the data shows that is not the case," Dasher says.
"This latency creates a dangerous lack of visibility for organizations who rely on the NVD as their main source of CVE data and context information. While Linux vulnerabilities are obviously significant, they have been well documented in other," the report also notes.
Jenkins and MySQL Lead the Way
During this period Jenkins and MySQL had the most vulnerabilities with the former garnering 646 and the latter 624. Jenkins also managed to make an impression in 2019 joining Magento and GitLab for the honor of showing the largest year-over-year increase in the number of vulnerabilities for each. Magento had no vulnerabilities in 2018 but 137 in 2019, while the number found GitLab jumped 400% from 40 to 198 and Jenkins went from 120 to 329, the report states.
Having a large number of vulnerabilities does not necessarily equate to being subjected to many weaponized vulnerabilities. The report finds that while Magento and MySQL have many vulnerabilities the number that have been weaponized, about 2.3%, is below the 3.4% average. Other open source products, such as Apache Tomcat, Vagrant and Alfresco, have fewer vulnerabilities overall but a much higher percentage have been weaponized at 9.7%, 66% and 33%, respectively, the report notes.
RiskSense believes the number of vulnerabilities found in open source software will continue to increase as more companies turn to it as a quick way to launch projects. The fact that these flaws take a long time to work their way through the pipeline to the NVD mean companies will have a hard time discovering if their projects are vulnerable.