A study analyzing 54 open source projects found that security vulnerabilities in these tools doubled in 2019, from 421 in 2018 to 968 last year. According to RiskSense’s “Dark Reality of Open Source” report released today, the company reported 2,694 bugs in popular open source projects between 2015 and March 2020.
The report doesn’t include super-popular free tool items such as Linux, WordPress, and Drupal, because they are often monitored and security bugs make news to ensure that most of these security issues are patched fairly quickly.
Instead, RiskSense looked at other popular open source projects that were not so well known but were widely used by the technology and software community. These include tools such as Jenkins, MongoDB, Elasticsearch, Chef, GitLab, Spark, Puppet, and more.
RiskSense says one of the main problems they found in the course of their research is that the large number of security vulnerabilities they analyzed were not reported to the National Vulnerability Database (NVD) many weeks after they were publicly disclosed. The company said the bugs found in the 54 projects typically take an average of about 54 days to be reported to NVD, with PostgreSQL reporting delays of up to eight months. Because network security and IT software companies use NVD databases to create and send security alerts, reporting delays have led to companies using these open source projects still exposed to attacks.
RiskSense said that since 2015, the Jenkins Automation Server and MySQL Database Server scored the most weaponized vulnerabilities out of all 54 projects it analyzed, with 15 each. While other open source projects have fewer bugs, they are sometimes more likely to be weaponized, such as bugs in The Vagrant virtualization software and Alfresco content management systems.
RiskSense believes that not only needs to be improved in the way open source projects handle security vulnerabilities internally, but also industry as a whole, as open source projects are creating new vulnerabilities at a historic rate.