Open source vulnerabilities doubled in 2019
Open source code allows developers to quickly integrate new capabilities into applications without having to reinvent the wheel, but it doesn't come without hazards.
A new report from RiskSense provides in-depth findings on vulnerabilities in leading open source software (OSS), including the most weaponized weaknesses, which software is most at risk, and the top types of attacks.
Among the report's key findings are that total vulnerabilities in OSS more than doubled in 2019 from 421 Common Vulnerabilities and Exposures (CVEs) in 2018 to 968 last year. The study also reveals that it takes a very long time for OSS vulnerabilities to be added to the National Vulnerability Database (NVD), averaging 54 days between public disclosure and inclusion.
This delay can cause organizations to remain exposed to serious application security risks for almost two months. These very long lags are seen across all severities including vulnerabilities rated as 'Critical' and those that have been weaponized, meaning that the exploit is present in the wild.
"While open source code is often considered more secure than commercial software since it undergoes crowdsourced reviews to find problems, this study illustrates that OSS vulnerabilities are on the rise and may be a blindspot for many organizations," says Srinivas Mukkamala, CEO of RiskSense. "Since open source is used and reused everywhere today, when vulnerabilities are found, they can have incredibly far-reaching consequences."
Other findings show that the Jenkins automation server had the most CVEs overall with 646, closely followed by MySQL with 624. These two OSS projects also tied for the most weaponized vulnerabilities with 15 each. By contrast, HashiCorp's Vagrant only had nine total CVEs, but six of them were weaponized, making it one of the most weaponized open source projects in percentage terms.
Apache Tomcat, Magento, Kubernetes, Elasticsearch, and JBoss all had vulnerabilities that were trending or popular in real-world attacks.
Cross-Site Scripting (XSS) and Input Validation weaknesses are among the most common and most weaponized types of weaknesses in the study. XSS issues are the second most common type of weakness, but the most weaponized. Input Validation issues are the third most common and second most weaponized.
The full report is available from the RiskSense site.