Vulnerabilities in popular open source projects doubled in 2019

Vulnerabilities in popular open source projects doubled in 2019 Cybersecurity

A study has analyzed the 54 main open source projects and shows that the security vulnerabilities within these tools doubled in 2019, going from 421 bugs reported in 2018 to 968 last year.

According to RiskSense’s The Dark Reality of Open Source report, released today, the company found 2,694 bugs reported in popular open source projects between 2015 and March 2020.

The analysis did not focus on projects such as Linux, WordPress, Drupal and other extremely popular free tools, as these projects are often monitored and security bugs make the news, ensuring that most of these security issues are corrected fairly quickly.

Instead, RiskSense looked at other popular open source projects that are not as well known but widely adopted by the tech world. The analysis covers tools like Jenkins, MongoDB, Elasticsearch, Chef, GitLab, Spark, Puppet and others.

RiskSense explains that one of the main problems encountered during their study was that many of the security bugs they had analyzed were reported to the National Vulnerability Database (NVD) several weeks after their public disclosure.

The company said it generally takes around 54 days on average for bugs found in these projects to be reported on NVD. For PostgreSQL, there are even reporting delays of eight months.

As cybersecurity and IT software companies use the NVD database to create and send security alerts, the delays have resulted in situations in which the companies have remained exposed to attacks.

Vulnerabilities in popular open source projects doubled in 2019

It also allowed malicious actors to create and deploy exploits, which resulted in the malicious exploitation of security bugs.

RiskSense indicates that of the 54 projects analyzed, the Jenkins automation server and the MySQL database server had the most frequently exploited vulnerabilities since 2015, with 15.

Vulnerabilities in popular open source projects doubled in 2019

“However, many CVEs do not necessarily translate into equally large amounts of exploited vulnerabilities,” said RiskSense.

While other open source projects have fewer bugs, these bugs are sometimes easier to exploit, such as the Vagrant virtualization software and the Alfresco content management system.

With open source projects now part of around 99% of commercial software projects, RiskSense argues that improvements are now needed in the way security vulnerabilities are handled in open source projects, but also by industry in his outfit.

This is more important than ever now because “open source projects are generating new vulnerabilities at a historically rapid rate”.



Rate article
Add comment