It can take a mean of over four years for vulnerabilities in open source software to be spotted, a neighborhood within the security community that must be addressed, researchers say.
According to GitHub’s annual State of the Octoverse report, published on Wednesday, reliance on open source projects, components, and libraries is more common than ever.
Over the course of 2020, GitHub tallied over 56 million developers on the platform, with over 60 million new repositories being created — and over 1.9 billion contributions added — over the course of the year.
You would be hard pressed to seek out a scenario where your data doesn’t undergo a minimum of one open source component. Many of the services and technology we all believe , from banking to healthcare, also believe open source software. The artifacts of open ASCII text file function critical infrastructure for much of the worldwide economy, making the safety of open source software mission-critical to the planet .
GitHub launched a deep dive in the state of open source security, comparing information gathered from the organization’s dependency security measures and therefore the six package ecosystems supported on the platform across October 1, 2019, to September 30, 2020, and October 1, 2018, to September 30, 2019.
Only active repositories are included, not including forks or ‘spam’ projects. The package ecosystems that were observed are Composer, Maven, npm, NuGet, PyPi, and RubyGems.
On average, vulnerabilities can go undetected for over four years in open source projects before disclosure. A fix is then usually available in only over a month, which GitHub says “indicates clear opportunities to enhance vulnerability detection.”
However, the bulk of bugs in open source software aren’t malicious. Instead, 83% of the CVE alerts issued by GitHub are caused by mistakes and human error — although threat actors can still cash in on them for malicious purposes.
In total, 17% of vulnerabilities are considered malicious — like backdoor variants — but these triggered only 0.2% of alerts, as they’re most frequently found in abandoned or rarely-used packages.
Defining the ‘worst’ open source vulnerabilities of 2020 isn’t a simple task because it depends on the reach of impact — on users and repositories — exploitability, and other factors. Some bugs may immediately come to mind, including Zerologon (CVE-2020-1472) and SMBGhost (CVE-2020-0796), but when it involves project maintainers, GitHub has named a prototype Pollution in lodash as a top vulnerability.
Tracked as CVE-2020-8203 and issued a severity score of seven .4, the RCE security flaw alone has been liable for over five million GitHub Dependabot alerts thanks to lodash being one among the foremost widely-used and popular npm packages.
The open source community now plays a key role within the development of software, but like the other industries, vulnerabilities are getting to exist. GitHub says that project developers, maintainers, and users should check their dependencies for vulnerabilities on a daily basis and will consider implementing automated alerts to remedy security issues during a more efficient and rapid way.