- The research dataset included 54 open source projects
- The report said that Cross-Site Scripting (XSS) and Input Validation weaknesses were both some of the most common and weaponised types of weaknesses in the study
The total number of open source software (OSS) vulnerabilities more than doubled in 2019 compared with 2018 as per a report by RiskSense. It said that there were 421 Common Vulnerabilities and Exposures (CVEs) in 2018 to 968 last year.
The study also said that it takes a very long time for OSS vulnerabilities to be added to the National Vulnerability Database (NVD), averaging 54 days between public disclosure and inclusion in the NVD. This causes organisations to remain exposed to serious application security risks for almost two months. As per the report, these long gaps were seen across all severities including vulnerabilities rated as ‘Critical’ and those that were weaponised (meaning those where an exploit is present in the wild).
Srinivas Mukkamala, CEO of RiskSense said, “While open source code is often considered more secure than commercial software since it undergoes crowdsourced reviews to find problems, this study illustrates that OSS vulnerabilities are on the rise and may be a blindspot for many organizations. Since open source is used and reused everywhere today, when vulnerabilities are found, they can have incredibly far-reaching consequences.”
54 open source projects
The RiskSense Spotlight Report “The Dark Reality of Open Source” used different factors to build the list of OSS projects to study. This includes popularity on GitHub, market value of companies based on specific open source projects (say Elastic and Elasticsearch), and various OSS software lists like the BOSS index. The research dataset included 54 open source projects. Data from 2015 through the first three months of 2020 was gathered and analyzed, which gave a total of 2,694 CVEs.
The report added, “Vulnerabilities in open source software are taking an extremely long time to be added to the U.S. NVD. The average time between the first public disclosure of a vulnerability and its addition to the NVD was 54 days. The longest observed lag was 1,817 days for a critical PostgreSQL vulnerability. 119 CVEs had lags of more than one year, and almost a quarter (24 per cent) had lags of more than a month. These lags were consistent across all severities of vulnerabilities, with critical severity vulnerabilities having some of the longest average lag times.”
As per the report, the Jenkins automation server had the most CVEs overall with 646 and was closely followed by MySQL with 624. They also tied for the most weaponized vulnerabilities (those for which exploit code exists) with 15 each. HashiCorp’s Vagrant had nine total CVEs, but six of them were weaponised. Apache Tomcat, Magento, Kubernetes, Elasticsearch, and JBoss had vulnerabilities that were trending or popular in real-world attacks as per the report.
Cross-Site Scripting (XSS) and Input Validation weaknesses
The report said that Cross-Site Scripting (XSS) and Input Validation weaknesses were both some of the most common and weaponised types of weaknesses in the study. XSS issues were the second most common type of weakness, but were the most weaponized. Input Validation issues were the third most common and second most weaponised. Deserialization Issue (28 CVEs), Code Injection (16 CVEs), Error Handling Issues (two CVEs), and Container Errors (one CVE) were all seen ” trending in the wild” as per the report.