New research from RiskSense has revealed that the number of security vulnerabilities in open source software more than doubled last year.
To compile its new report titled “The Dark Reality of Open Source”, the firm used data from 54 open source projects dating all the way back to 2015 until the first three months of 2020 to discover a total of 2,694 Common Vulnerabilities and Exposures (CVEs).
RiskSense’s report found the total number of vulnerabilities in open source software reached 968 last year which is up by more than 50 percent from the 421 CVEs found in 2018. In a press release, CEO of RiskSense, Srinivas Mukkamala provided further insight on the report’s findings, saying:
“While open source code is often considered more secure than commercial software since it undergoes crowdsourced reviews to find problems, this study illustrates that OSS vulnerabilities are on the rise and may be a blind spot for many organizations. Since open source is used and reused everywhere today, when vulnerabilities are found, they can have incredibly far-reaching consequences.”
Open source software vulnerabilities
RiskSense’s study also revealed how long it takes for open source software vulnerabilities to be added to the National Vulnerability Database (NVD). On average it takes 54 days from a vulnerability being publicly disclosed for it to be included in the NVD.
This delay has serious consequences for businesses as they can remain exposed to serious application security risks for almost two months. These delays were also observed across all severities including vulnerabilities that were rated as critical and those that were being actively exploited in the wild.
Of the open source projects analyzed in the report, the Jenkins automation server had the most CVEs overall with 646 and this was closely followed by MySQL with 624. These two projects also tied for the most weaponized vulnerabilities with 15 each.
When it came to weaponization, cross-site scripting (XSS) and Input Validation weaknesses were both some of the most common and most weaponized types of vulnerabilities in RiskSense’s study. XSS issues were the second most common type of vulnerability but they were the most weaponized while Input Validation issues were the third most common and second most weaponized.
There are many benefits of using open source software though RiskSense’s report shows that managing vulnerabilities in their libraries can pose unique challenges for businesses and developers.