Why are Open Source vulnerabilities increasing in 2020?

Posted by: David Yakobovitch Posted on

Open-source software has opened new opportunities for collaboration and sharing of source code leading to consumer savings of more than $50B according to a Gartner report.

Community participation and meritocracy principles guide open-source software¹ with Apache Web Server and Linux using Open Source Software. The GNU Image Manipulation Program and LibreOffice are other open-source models where the public can access, modify, and use the content in projects.

Computer programmers find open source important because of sharing their work and modifying code. Unlike proprietary software², open-source software users learn new skills, gain control of the code, and enjoy longevity in pursuing their projects.

Adobe Photoshop and Microsoft Office proprietary software do not allow users to modify and come with limitations. This makes open source popular compared to proprietary software.

Rising Open Source Vulnerabilities

Despite the benefits of open source software, vulnerabilities in OSS are increasing at a high rate. The RiskSense report shows that vulnerabilities in OSS rose in 2019 compared to 2018.

In 2018, open-source vulnerabilities stood at 420 and rose to 968 in 2019. RiskSense estimates the vulnerability increase at 130% and states that the situation could worsen in 2020.

Red tape in disclosing OSS vulnerabilities³ to the National Vulnerability Database is another challenge facing open source and creates further exposure before addressing current risks. From January-March of 2020, common vulnerabilities continued to increase at a fast rate compared to previous years.

The State of OSS Vulnerabilities

The current situation of OSS vulnerabilities does not look good. MySQL experienced an estimated 600 vulnerabilities with Jenkins Server recording 650 vulnerabilities.

HashiCorp suffered breaches with a high number of weaponized vulnerabilities totaling to six compared to Jenkins and MySQL. The line of open source vulnerabilities continues with JBoss, Apache Tomcat, and Magento⁴ experiencing attacks alongside Elasticsearch.

#Opensourcevulnerabilities including code injections and deserialization are on the rise with input validation challenges cross-site scripting emerging as well. These attacks come amid high adoption of open source by most organizations because of collaborative contributions⁵ from everyone. These benefits will be eroded as OSS comes under increasing attacks. The slow response to attacks by the National Vulnerability Database compounds this problem with the earliest time for developing solutions at 2 months.

With an estimated 90% of software applied consisting of open source, the situation will worsen as these vulnerabilities penetrate because of the massive consumption. #Enterprises have not achieved full-scale security controls in their operations and this creates cracks through which these vulnerabilities occur.

The production of web applications continues with the increased reusing of existing code and dependence on third-party code⁶. This contributes to further vulnerabilities in open source.

Lack of information centralization of open source vulnerabilities contributes to the surging cases because of the widespread nature of information across software applications. This makes looking for information from resources challenging.

An estimated 30% of all reported vulnerabilities are not included in the National Vulnerability Database⁷and this becomes a problem. The total number of vulnerabilities according to the WhiteSource Database reached 6000 in 2019 alone representing a 50% rise in open-source attacks.

To understand the scope of open-source attacks⁸, it is important to review the implications of coding languages. #C is the most affected language by vulnerabilities as more people write code in this language leading to more volumes, which generate vulnerabilities. Compared to C, Python recorded the least number of vulnerabilities but despite this, the adoption is increasing and means new vulnerabilities in the future.

Common Vulnerability Scoring System

Another viewpoint in understanding vulnerabilities in #opensourcesoftware is the Common Vulnerability Scoring System⁹ and determining the validity of scores. There is no standard agreement on the required score of OSS vulnerabilities and this creates confusion. Achieving a standard score for the CVSS has not been agreed upon.

Every year, new CVSS updates are released to make the score acceptable and applicable in enterprises. By extension, the determination of critical and high severity cases becomes difficult to measure in the wake of OSS vulnerabilities.

The good thing about OSS vulnerabilities is that they have a solution but the problem according to WhiteSource comes in publishing and addressing them. The slow process of addressing these vulnerabilities in open source means more organizations facing operational challenges in achieving their goals. Nevertheless, enterprises are responding to these threats by investing in more security but there is still a long road ahead.

Enterprises have experienced problems keeping up with OSS updates and this creates loopholes for new attacks because of using outdated versions. Consequently, hackers find their way in organizational databases because of not conforming to the latest OSS releases.

Companies are hiring #cybersecurity analysts as a response to this problem who check for flaws and use tools such as foundations and bug bounty programs to keep systems secure.

Magento and Equifax Vulnerabilities

The Equifax¹⁰ attack incident offers a good example of open source vulnerabilities and losses incurred because of poor oversight from enterprises. Hackers are using new programs to attack OSS projects with the Magento breach another example of OSS vulnerabilities, which led to serious financial fraud.

As open source grows, threats keep increasing with OpenCart and Powerfront CMS other new areas for attacks. Over 90% of commercial software utilizes open source and the Magento case demonstrates the delicate balance regarding OSS security. OSS threats from the dark web continue to rise and enterprises should upgrade their security controls to be on the safe side.

Organizations are turning to tools such as Coverity Scan, which detects vulnerabilities across large volumes of code within a short time. The Coverity Scan can identify over 1 million vulnerabilities after which the organization takes action in cleaning up the vulnerabilities. Companies can improve on their security controls by conducting regular checks and this reduces the chances of vulnerabilities.

The joint projects on open source software requires more participation in identifying errors and using Coverity Scan can create stronger systems.

Companies are shifting to open source despite vulnerabilities because of cost reduction, efficiency, and detecting flaws faster. #Closedsoftware offers tight controls but the problem comes to the deployment phase where collaborations fall because of few people in the same community of application.

Why Open Source Security Controls?

The biggest challenge in open source security lies in using new versions and disregarding old models in line with security updates. Companies have not taken these upgrades seriously and this further creates security breaches.

New security patches for open source not only secure applications but also detect vulnerabilities the moment they occur. This saves time and resources for organizations. Manual updating of OSSlibraries creates more benefits for organizations as management can act on problems earlier.

Companies face challenges mapping all the code used in their systems and conducting OSS vulnerability scans allows them to anticipate problems and address them. A recent report indicated that most enterprises do not fully understand the nature of their inventory and this means open-source attacks happen without their knowledge.

Comparing an organization’s binary code with the National Vulnerability Database is critical for companies as they conduct vulnerability scans. Hiring vendors to conduct security checks helps companies to eliminate all internal risks and understand the state of their security controls.

A segmented network used by an organization often creates roadblocks when conducting open-source security checks and installing agents on devices has shown to bring good results. Integrating the agent in a single point might not solve the problem and this is why companies need caution when undertaking vulnerability scans.

Works Cited

¹Open Source Software, ²Proprietary Software, ³OSS Vulnerabilities, ⁴Magento, ⁵Collaborative Contributions, ⁶Third Party Code, ⁷National Vulnerability Database, ⁸Open Source Attacks, ⁹Common Vulnerability Scoring System

Companies Cited

¹⁰Equifax