Open Source Push Highlights Security Flaws
As enterprise adoption of open source software soars, so too do the number of vulnerabilities inevitably exposed as deployments scale and security awareness grows in response to high-profile data breaches.
An audit of security advisories, vulnerability databases and other security trackers found that open source software vulnerabilities jumped in 2019 to more than 6,000. That total represents a 50 percent increase in reported security flaws over the previous two years, according to an annual report by open source security specialist WhiteSource.
The National Vulnerability Database (NVD) maintained the U.S. National Institute of Standards and Technology is a key clearinghouse for vulnerability reports on open source software. The WhiteSource survey released Thursday (March 12) found that more than 85 percent of open source software vulnerabilities are now disclosed with a fix available. However, only 84 percent appear on the NVD.
The audit found that just 29 percent of all open source vulnerabilities reported outside the NVD eventually land in the U.S. database. “Information about vulnerabilities is not published in one centralized location,” the survey found. “Rather, [security alerts are scattered across hundreds of sources, and sometimes poorly indexed.”
The steady rise in open source software adoption along with a greater focus on security means “the number of reported open source vulnerabilities will surely keep rising,” the audit added.
That places greater responsibility on data gatherers to keep up with almost weekly security updates and patches. The most notorious failure was the massive 2017 data breach at the consumer credit reporting vendor Equifax, which failed to install widely available security updates to Apache Struts, an open source framework used to build Java web applications.
The WhiteSource report also compared known security vulnerabilities in the seven most popular open source programming languages. The C language continues to have the most vulnerabilities, a function of the large volume of code written in the foundational language. Vulnerabilities in the C language jumped 17 percent during 2019, the survey found.
Emerging language such as Python showed little or no rise in security vulnerabilities, a function of secure coding practices as programmers attempt to bake security into their open source projects.
Still, the most common open source flaws, known as “Common Weakness Enumeration,” stem from what the report called “information disclosure.” “What’s concerning is that the most common CWE’s are due to simple code errors and imprecise coding, [mistakes] all developers could avoid by sticking to fairly basic coding standards.”
As open source components and various distributions serve as the foundation of emerging IT infrastructure—think Kubernetes—the report concludes the development community is beginning to institutionalize security awareness. One example is the security lab launched by Microsoft-owned GitHub. The lab aims to make it easier for developers and maintainers to report open source vulnerabilities and publish fixes in a central location.
That approach has the advantage of reporting vulnerabilities rather than simply pushing a fix, then relying on third parties to report a vulnerability. Another benefit of maintainers reporting vulnerabilities to a central repository is “high-quality metadata,” the WhiteSouce audit noted.