Open source vulnerabilities go undetected for over four years
For its annual State of the Octoverse report, GitHub has analyzed over 45,000 active code directories to provide insight into open source security (vulnerabilities) and developers’ practices regarding vulnerability reporting, alerting and remediation.
The Microsoft subsidiary found that security vulnerabilities often go undetected for more than four years before being disclosed.
Additional findings
Security vulnerabilities can impact software directly or through its dependencies.
After examining a year-worth of data collected through its dependency graph, the company has found that most projects on GitHub have at least one open source dependency.
The percentage is highest for those using JavaScript (94%), Ruby (90%), and .NET (90%). JavaScript and Rudy projects also have the highest number of median direct dependencies (10 and 9, respectively), and JavaScript has by far the highest number of median transitive dependencies (i.e., their direct dependencies have additional dependencies themselves).
Another interesting finding is that most open source software vulnerabilities are caused by mistakes, not malicious attacks.
“Analysis on a random sample of 521 advisories from across our six ecosystems finds that 17% of the advisories are related to explicitly malicious behavior such as backdoor attempts. Of those 17%, the vast majority come from the npm ecosystem,” they shared.
The most blatant indicator of a backdoor is an attacker gaining commit access to a package’s source code repository, usually via an account hijack, they explained, and the last line of defense against these attempts is careful peer review in the development pipeline, especially of changes from new committers.
“Many mature projects have this careful peer review in place. Attackers are aware of that, so they often attempt to subvert the software outside of version control at its distributition points or by tricking people into grabbing malicious versions of the code through, for example, typosquatting a package name.”
Not that vulnerabilitities introduced by mistake cannot be just as disruptitive as malicious attack – they can, and they are much more likely to impact popular projects, GitHub noted.
Add to this the discovery that a vulnerability typically goes undetected for over four years, and you can see how problems may arise.
Best practices to improve the situation
“Security is always a concern when working with software. Our analysis shows that potential vulnerabilities found scale with the number of lines of code written,” they noted.
“The power and promise of open source is in the power of the community. By joining forces with millions of developers to not only build software packages but also identify and fix vulnerabilities, we can build software more quickly and more securely.”
The key, they say, is to leverage automated alerting and patching tools. “Our own analysis found that repositories that automatically generated a pull request to update to the fixed version patched their software in 33 days, which is 13 days faster than those who did not, or 1.4 times faster.”