Open source software vulnerabilities see huge rise

  • Hi there and welcome to PC Help Forum (PCHF), a more effective way to get the Tech Support you need!
    We have Experts in all areas of Tech, including Malware Removal, Crash Fixing and BSOD's , Microsoft Windows, Computer DIY and PC Hardware, Networking, Gaming, Tablets and iPads, General and Specific Software Support and so much more.

    Why not Click Here To Sign Up and start enjoying great FREE Tech Support.

    This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Welcome to our Community
Wanting to join the rest of our members? Feel free to sign up today.
Sign up

PCHF IT Feeds

PCHF Tech News
PCHF Bot
Jan 10, 2015
52,072
26
pchelpforum.net
New research from RiskSense has revealed that the number of security vulnerabilities in open source software more than doubled last year.

To compile its new report titled “The Dark Reality of Open Source”, the firm used data from 54 open source projects dating all the way back to 2015 until the first three months of 2020 to discover a total of 2,694 Common Vulnerabilities and Exposures (CVEs).

RiskSense's report found the total number of vulnerabilities in open source software reached 968 last year which is up by more than 50 percent from the 421 CVEs found in 2018. In a press release, CEO of RiskSense, Srinivas Mukkamala provided further insight on the report's findings, saying:


“While open source code is often considered more secure than commercial software since it undergoes crowdsourced reviews to find problems, this study illustrates that OSS vulnerabilities are on the rise and may be a blind spot for many organizations. Since open source is used and reused everywhere today, when vulnerabilities are found, they can have incredibly far-reaching consequences.”

Open source software vulnerabilities


RiskSense's study also revealed how long it takes for open source software vulnerabilities to be added to the National Vulnerability Database (NVD). On average it takes 54 days from a vulnerability being publicly disclosed for it to be included in the NVD.

This delay has serious consequences for businesses as they can remain exposed to serious application security risks for almost two months. These delays were also observed across all severities including vulnerabilities that were rated as critical and those that were being actively exploited in the wild.

Of the open source projects analyzed in the report, the Jenkins automation server had the most CVEs overall with 646 and this was closely followed by MySQL with 624. These two projects also tied for the most weaponized vulnerabilities with 15 each.

When it came to weaponization, cross-site scripting (XSS) and Input Validation weaknesses were both some of the most common and most weaponized types of vulnerabilities in RiskSense's study. XSS issues were the second most common type of vulnerability but they were the most weaponized while Input Validation issues were the third most common and second most weaponized.

There are many benefits of using open source software though RiskSense's report shows that managing vulnerabilities in their libraries can pose unique challenges for businesses and developers.

HXvG7R7kp4E


Continue reading...