New vulnerabilities in open source packages down 20% compared to last year
New vulnerabilities in open source packages were down 20% compared to last year suggesting security of open source packages and containers are heading in a positive direction, according to Snyk.
Well known vulnerabilities, such as cross-site scripting, continue to be reported but aren’t impacting as many projects as they have in previous years. This is further encouraged as organizations start to drive a culture shift that embodies open source and container security as a core responsibility shared and integrated across development, security and operations teams.
This year the report took an even deeper look at vulnerability and ecosystem-level trends that impact the overall security posture of organizations relying on open source libraries.
Across the six popular ecosystems the report examined, there were fewer new vulnerabilities reported in 2019 than in 2018 – a promising finding – but there are still significant improvements to strive for with slightly less than two thirds of vulnerabilities still taking more than 20 days to remediate.
Common threats getting caught and remediated early
While well-known vulnerabilities in open source packages, such as cross site scripting are reported in high numbers, and the number of projects they impact are fairly low. These common threats appear to be getting caught and remediated early unlike some lesser known vulnerabilities.
For example, the report found certain vulnerabilities were reported in highly popular packages, affecting thousands of projects and thereby increasing the probability of them being exploited by attackers. Based on the report, the top vulnerability currently impacting scanned projects is prototype pollution in nearly 27% of all projects.
For the first time in the last four years, there has been a big shift in security mindset as organizations start embracing the core elements of DevSecOps and begin implementing more scalable programs and best practices to ensure shared responsibility.
Who should be responsible for designing and implementing security controls?
When respondents were asked the multi-answer question about who they felt should be responsible for designing and implementing security controls in their software development, development teams were commonly identified in addition to operations and security teams. This is a much more even spread across the three different teams compared to last year in which less than 25% felt security and operations played a role.
However, the fact the responses were all less than 65% still indicates that respondents did not typically identify all three groups as jointly being responsible. While progress has been made, it’s clear there is still a need for a more significant shift towards a shared-responsibility culture.
“This year’s report is very encouraging as we are seeing the volume of open source vulnerabilities trending down for the first time in four years. In addition, there are positive trends emerging around the collaboration of development, security and operations teams to address the growing demand for secure application development,” said Alyssa Miller, Application Security Advocate, Snyk.
“Despite the year over year progress, we must continue to prioritize security and empower organizations to implement programs to help drive DevSecOps and developers to be involved in securing their code from the very beginning. We need to focus on continuing these efforts to ensure these emerging trends continue on this positive trajectory in 2021 and beyond.”
Open source statistics
Open source ecosystems continue to expand, led by npm which grew over 117% in 2019 and spanning over 1,300,000 packages to this date.
Vulnerability trends
- New vulnerabilities were down almost 20% across the most popular ecosystems in 2019.
- Cross-site scripting vulnerabilities were the most commonly reported.
- Two prevalent prototype pollution vulnerabilities resulted in an impact on over 25% of scanned projects.
- New vulnerabilities reported in common Linux distributions demonstrate the need for comprehensive monitoring for new vulnerabilities in container images.
- SQL Injection vulnerabilities, while decreasing in prevalence in most ecosystems, have increased over the last three years in PHP packages.
Container and orchestration challenges
- Official base images tagged as latest include known vulnerabilities; in particular the official node image which has almost 700 known vulnerabilities.
- Over 30% of survey participants do not review Kubernetes manifests for insecure configurations.
- Requirements for security-related resource controls in Kubernetes are not widely implemented.
Security culture
- Increasingly, survey respondents feel that security for software and infrastructure should be shared among development, security, and operations roles.
- However, few organizations have programs in place to develop shared responsibility across the dev, sec, and ops personnel.