Vulnerabilities in popular open source projects doubled in 2019

A study that analyzed the top 54 open source projects found that security vulnerabilities in these tools doubled in 2019, going from 421 bugs reported in 2018 to 968 last year.

According to RiskSense’s “The Dark Reality of Open Source” report, released today, the company found 2,694 bugs reported in popular open source projects between 2015 and March 2020.

The report didn’t include projects like Linux, WordPress, Drupal, and other super-popular free tools, since these projects are often monitored, and security bugs make the news, ensuring most of these security issues get patched fairly quickly.

Instead, RiskSense looked at other popular open source projects that aren’t as well known but broadly adopted by the tech and software community. This included tools like Jenkins, MongoDB, Elasticsearch, Chef, GitLab, Spark, Puppet, and others.

interesting reading:  Scientists Decode Corona Viruses And Come Up With Vulnerabilities

RiskSense says that one of the main problems they found during their study was that a large number of the security bugs they analyzed had been reported to the National Vulnerability Database (NVD) many weeks after they’ve been publicly disclosed.

The company said it usually took on average around 54 days for bugs found in these 54 projects to be reported to the NVD, with PostgreSQL seeing reporting delays that amounted to eight months.

Since cyber-security and IT software companies use the NVD database to create and send security alerts, the delays in reporting resulted in situations where companies remained exposed and open to attacks.

interesting reading:  130 Joint Research Projects Approved By Pak- China

ZDNet Academy – NordVPN: 2-Yr Subscription

Ensure Your Data Stays Private with This Top-Rated VPN Solution.Training provided by ZDNet Academy

It also allowed threat actors to create and deploy exploits — resulting in the “weaponization” of a security bug.

RiskSense says that of all the 54 projects it analyzed, the Jenkins automation server and the MySQL database server had the most weaponized vulnerabilities since 2015, both with 15.

“However, large numbers of CVEs don’t necessarily translate to equally large amounts of weaponized vulnerabilities,” RiskSense said.

interesting reading:  Seven In Ten NHS Research Projects Been Affected By The Covid 19 pandemic

While other open source projects had fewer bugs, those bugs were sometimes easier to weaponize, such as the case of Vagrant virtualization software and the Alfresco content management system.

With open source projects now part of roughly 99% of all commercial software projects, RiskSense argues that improvements are now needed in the way security vulnerabilities are handled inside open source projects, but also by the industry as a whole.

This is more important than ever now because “open source projects are generating new vulnerabilities at a historically rapid pace.”

Originally Publish at: https://www.zdnet.com/

Leave a Reply

Your email address will not be published. Required fields are marked *

Captcha loading...