What open source means for cybersecurity

With outdated and inadequately maintained components, along with insecure dependencies, the open-source ecosystem presents numerous risks that could expose organizations to threats. In this article, you will find excerpts from 2024 open-source security reports that can help your organization strengthen its software security practices.

open-source security 2024

70% of open-source components are poorly or no longer maintained

Regardless of geographic origin, the average mid-size application has several disturbing trends leading to critical vulnerabilities. Open-source contributes 2 to 9 times the code your developers write, and 95% of security weaknesses originate within open-source package dependencies. 51% of these vulnerabilities, across all CVE severity levels, have no known fixes.

Paid open-source maintainers spend more time on security

Paid maintainers are 55% more likely to implement critical security and maintenance practices than unpaid maintainers and are dedicating more time to implementing security practices like those included in industry standards like the OpenSSF Scorecard and the NIST Secure Software Development Framework (SSDF).

Trends and dangers in open-source software dependencies

For a vulnerability in an open source library to be exploitable, there must be, at minimum, a call path from the application to the vulnerable function in that library. The report finds this to be true in fewer than 9.5% of all vulnerabilities in the seven languages explored—Java, Python, Rust, Go, C#, .NET, Kotlin, and Scala. The research also turns a spotlight on the speed of response to emerging risks. It reveals that nearly 70% of vulnerability advisories are published after the corresponding security release, with a median delay of 25 days. 

Most GitHub Actions workflows are insecure in some way

Legit found the security status of Actions developed by the community to enhance GitHub Actions capabilities concerning. Of the 19,113 custom GitHub Actions in the marketplace, only 913 were created by verified GitHub users; 18% had vulnerable dependencies; 762 are archived and do not receive regular updates; the average OSSF security score was 4.23 out of 10; and most are maintained by a single developer.

90% of exposed secrets on GitHub remain active for at least five days

The growing number of code repositories on GitHub, with 50 million new repositories added in the past year (+22%), increases the risk of both accidental and deliberate exposure of sensitive information. The research sheds light on an important security gap: upon discovering an exposed valid secret, 90% remain active for at least five days, even after the author is notified.

Don't miss