What open source means for cybersecurity
With outdated and inadequately maintained components, along with insecure dependencies, the open-source ecosystem presents numerous risks that could expose organizations to threats. In this article, you will find excerpts from 2024 open-source security reports that can help your organization strengthen its software security practices.
70% of open-source components are poorly or no longer maintained
Regardless of geographic origin, the average mid-size application has several disturbing trends leading to critical vulnerabilities. Open-source contributes 2 to 9 times the code your developers write, and 95% of security weaknesses originate within open-source package dependencies. 51% of these vulnerabilities, across all CVE severity levels, have no known fixes.
Paid open-source maintainers spend more time on security
Paid maintainers are 55% more likely to implement critical security and maintenance practices than unpaid maintainers and are dedicating more time to implementing security practices like those included in industry standards like the OpenSSF Scorecard and the NIST Secure Software Development Framework (SSDF).
Trends and dangers in open-source software dependencies
For a vulnerability in an open source library to be exploitable, there must be, at minimum, a call path from the application to the vulnerable function in that library. The report finds this to be true in fewer than 9.5% of all vulnerabilities in the seven languages explored—Java, Python, Rust, Go, C#, .NET, Kotlin, and Scala. The research also turns a spotlight on the speed of response to emerging risks. It reveals that nearly 70% of vulnerability advisories are published after the corresponding security release, with a median delay of 25 days.
Most GitHub Actions workflows are insecure in some way
Legit found the security status of Actions developed by the community to enhance GitHub Actions capabilities concerning. Of the 19,113 custom GitHub Actions in the marketplace, only 913 were created by verified GitHub users; 18% had vulnerable dependencies; 762 are archived and do not receive regular updates; the average OSSF security score was 4.23 out of 10; and most are maintained by a single developer.
90% of exposed secrets on GitHub remain active for at least five days
The growing number of code repositories on GitHub, with 50 million new repositories added in the past year (+22%), increases the risk of both accidental and deliberate exposure of sensitive information. The research sheds light on an important security gap: upon discovering an exposed valid secret, 90% remain active for at least five days, even after the author is notified.