Articles about open source vulnerability

Increased use of open source and third-party code leaves organizations open to more attacks on the software supply chain.

Open source vulnerabilities have become a prime target for attackers and organizations need to strengthen their defenses. We spoke to Richard Clark, senior solutions architect at JFrog, to discuss the importance of proactive measures in protecting against these threats.

Continue reading →

New research released from Endor Labs finds that security patches have a 75 percent chance of breaking an application.

It also shows that 69 percent of vulnerability advisories are published after a patch has been released, with a median delay of 25 days between public patch availability and advisory publication, increasing the window of opportunity for attackers to exploit vulnerable systems.

Continue reading →

The percentage of codebases with high-risk open source vulnerabilities -- those that have been actively exploited, have documented proof-of-concept exploits or are classified as remote code execution vulnerabilities -- increased from 48 percent in 2022 to 74 percent in 2023, according to new research.

The Open Source Security and Risk Analysis (OSSRA) report from Synopsys is based on findings from more than 1,000 commercial codebase audits across 17 industries. While codebases containing at least one open source vulnerability remain consistent year-on-year at 84 percent, significantly more codebases contained high-risk vulnerabilities in 2023.

Continue reading →

Crowdsourced security platform Bugcrowd’s latest Vulnerability Trends Report finds that the hacker community recorded a 30 percent increase in web vulnerability submissions on the platform compared to 2022.

In addition it has recorded an 18 percent increase in API submissions, a 21 percent increase in Android submissions, and a 17 percent increase in iOS submissions.

Continue reading →

This year has seen twice as many software supply chain attacks as 2019-2022 combined and one in eight open source downloads today pose known and avoidable risks.

The latest State of the Software Supply Chain Report from Sonatype, which logged 245,032 malicious packages in 2023, also shows that 96 percent of vulnerabilities are still avoidable.

Continue reading →

Google has announced a new tool designed to help identify vulnerabilities in open source software.

The OSV-Scanner is described as a frontend to the existing OSV (open source vulnerabilities) database and one of the aims is to alert developers to security issues in the code their projects depend on.

Continue reading →