Detecting and identifying vulnerabilities in open source software can take as long as four years, according to GitHub's annual State of the Octoverse report.
The research, which looked at the efforts of over 56 million developers worldwide creating over 60 million repositories over the last 12 months, found that once flaws had been identified, the package maintainer and security community typically generate and release a fix in 4.4 weeks.
The report’s authors said that this highlighted the opportunities to improve vulnerability detection in the security community.
“Many of the services and technology we all rely on, from banking to healthcare, also rely on open source software. The artifacts of open source code serve as critical infrastructure for much of the global economy, making the security of open source software mission-critical to the world,” the report said.
The research found that 94% of projects have open source dependencies written in JavaScript, while Ruby and .Net were close second and third at 90.2% and 89.8%, respectively.
GitHub also found that most software vulnerabilities are mistakes, not malicious attacks. An analysis of a random sample of 521 advisories from across six ecosystems found that 17% of the advisories stemmed from explicitly malicious behavior, such as backdoor attempts. The remaining 83% of vulnerabilities were due to mistakes.
“These malicious vulnerabilities were generally in seldom-used packages but triggered just 0.2% of alerts. While malicious attacks are more likely to get attention in security circles, most vulnerabilities are caused by mistakes,” said the report.
RELATED RESOURCE
A buyer’s guide to managed detection and response (MDR) services
Simplifying and strengthening your security programme through outsourcing
The report urged developers to use automation to remediate vulnerabilities and stay secure.
“Using automated alerting and patching tools to secure software quickly means attack surfaces are evolving, making it harder for attackers to exploit," the report's authors said.
"Repositories that automatically generate pull requests to update vulnerable dependencies patch their software 1.4 times faster than those who don’t. Automating security practices helps your team secure your code as developers share their expertise with their community, remove security and engineering silos, and scale their expertise."
Phil Odence, general manager of Black Duck On-Demand at Synopsys, told ITPro that the main takeaway here is a significant amount of open source in virtually every modern application used today, so companies must track and manage the code to keep those apps secure.
“The report focuses on security and so doesn’t delve into legal risks associated with licensing; however, despite being 'free,' open source software is no different from other software in that its use is governed by a license.
"Based on research conducted for the 2020 OSSRA report, 68% of codebases contained some form of open-source license conflict, and 33% contained open-source components with no identifiable license. This is another way in which open source can get organizations into hot water, and thus should be managed and not overlooked,” he said.
-
AI is helping bad bots take over the internetNews Automated bot traffic has surpassed human activity for the first time in a decade, according to Imperva
-
Two years on from its Series B round, Hack the Box is targeting further growthNews Hack the Box has grown significantly in the last two years, and it shows no signs of slowing down
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Organizations urged to act fast after GitHub Action supply chain attackNews More than 20,000 organizations may be at risk following a supply chain attack affecting tj-actions/changed-files GitHub Action.
-
Nearly a million devices were infected in a huge GitHub malvertising campaignNews Microsoft has alerted users to a malvertising campaign leveraging GitHub to infect nearly 1 million devices around the world.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
-
'GitVenom' campaign uses dodgy GitHub repositories to spread malwareNews Security researchers have issued an alert over a campaign using GitHub repositories to distribute malware, with users lured in by fake projects.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Malicious GitHub repositories target users with malwareNews Criminals are exploiting GitHub's reputation to install Lumma Stealer disguised as game hacks and cracked software
