Open source software vulnerabilities see huge rise

(Image credit: Shutterstock)

New research from RiskSense has revealed that the number of security vulnerabilities in open source software more than doubled last year.

To compile its new report titled “The Dark Reality of Open Source”, the firm used data from 54 open source projects dating all the way back to 2015 until the first three months of 2020 to discover a total of 2,694 Common Vulnerabilities and Exposures (CVEs).

RiskSense's report found the total number of vulnerabilities in open source software reached 968 last year which is up by more than 50 percent from the 421 CVEs found in 2018. In a press release, CEO of RiskSense, Srinivas Mukkamala provided further insight on the report's findings, saying:

“While open source code is often considered more secure than commercial software since it undergoes crowdsourced reviews to find problems, this study illustrates that OSS vulnerabilities are on the rise and may be a blind spot for many organizations. Since open source is used and reused everywhere today, when vulnerabilities are found, they can have incredibly far-reaching consequences.”

Open source software vulnerabilities

RiskSense's study also revealed how long it takes for open source software vulnerabilities to be added to the National Vulnerability Database (NVD). On average it takes 54 days from a vulnerability being publicly disclosed for it to be included in the NVD.

This delay has serious consequences for businesses as they can remain exposed to serious application security risks for almost two months. These delays were also observed across all severities including vulnerabilities that were rated as critical and those that were being actively exploited in the wild.

Of the open source projects analyzed in the report, the Jenkins automation server had the most CVEs overall with 646 and this was closely followed by MySQL with 624. These two projects also tied for the most weaponized vulnerabilities with 15 each.

When it came to weaponization, cross-site scripting (XSS) and Input Validation weaknesses were both some of the most common and most weaponized types of vulnerabilities in RiskSense's study. XSS issues were the second most common type of vulnerability but they were the most weaponized while Input Validation issues were the third most common and second most weaponized.

There are many benefits of using open source software though RiskSense's report shows that managing vulnerabilities in their libraries can pose unique challenges for businesses and developers.

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.