The Open Source Risk Report indicates a surge in attacks employing malicious packages and vulnerabilities, which presents more difficulties for security teams.
The Open Source Risk Report, released today by Mend, exposes the enormous risk posed by the continued rise in open source vulnerabilities and software supply chain threats. The report states that the number of open source vulnerabilities that Mend discovered and added to its vulnerability database in the first nine months of 2022 was 33% higher than the same period in 2021, reflecting both the acceleration of vulnerabilities and the growth in the number of published open source packages. This expanding vulnerability is a significant problem as organisations continue to heavily rely on their applications for success.
According to the report’s representative sample of 1,000 North American organisations from January to September 2022, just 13% of vulnerabilities were patched, compared to 40% for those who used contemporary application security best practises. Today, 70 to 90 percent of applications employ open source code, making more businesses susceptible to attacks as threat actors take advantage of the repair gap.
Even when businesses patch tens of thousands of vulnerabilities each month, it takes contemporary remediation best practises to handle the constant stream of new vulnerabilities discovered and stop a vulnerability backlog from increasing. Open source software availability has grown by an estimated 25%, yet the rise of open source vulnerabilities has outpaced that growth. The use of prioritisation and remediation technologies, as well as routine application security scanning, are crucial because apps are the backbone of the global economy.
“As security debt continues to rise, it’s crucial to find a way to prioritize the vulnerabilities that pose the highest risk to avoid falling victim to an attack,” said Jeffrey Martin, VP Product Management at Mend. “Using remediation tools that can assess and prioritize the vulnerabilities that can most heavily impact systems is an important element to managing security debt. Organizations should not just pay attention to severity details though, to ensure effective prioritization and remediation, they need to also look at the exploitation context of flaws on their own and in conjunction with others.”