martes, 9 agosto 2022
Visitas totales a la web: 87774768

El portal de los profesionales de seguridad y emergencias

Nº 1 del mundo en español en seguridad global

Soluciones de seguridad global

Open source software security vulnerabilities exist for over four years before detection

It can take an average of over four years for vulnerabilities in open source software to be spotted, an area in the security community that needs to be addressed, researchers say. 

According to GitHub’s annual State of the Octoverse report, published on Wednesday, reliance on open source projects, components, and libraries is more common than ever. 

Over the course of 2020, GitHub tallied over 56 million developers on the platform, with over 60 million new repositories being created — and over 1.9 billion contributions added — over the course of the year. 

«You would be hard-pressed to find a scenario where your data does not pass through at least one open source component,» GitHub says. «Many of the services and technology we all rely on, from banking to healthcare, also rely on open source software. The artifacts of open source code serve as critical infrastructure for much of the global economy, making the security of open source software mission-critical to the world.»

GitHub launched a deep-dive into the state of open source security, comparing information gathered from the organization’s dependency security features and the six package ecosystems supported on the platform across October 1, 2019, to September 30, 2020, and October 1, 2018, to September 30, 2019.

Only active repositories have been included, not including forks or ‘spam’ projects. The package ecosystems analyzed are Composer, Maven, npm, NuGet, PyPi, and RubyGems. 

In comparison to 2019, GitHub found that 94% of projects now rely on open source components, with close to 700 dependencies on average. Most frequently, open source dependencies are found in JavaScript — 94% — as well as Ruby and .NET, at 90%, respectively. 

On average, vulnerabilities can go undetected for over four years in open source projects before disclosure. A fix is then usually available in just over a month, which GitHub says «indicates clear opportunities to improve vulnerability detection.»

However, the majority of bugs in open source software are not malicious. Instead, 83% of the CVE alerts issued by GitHub have been caused by mistakes and human error — although threat actors can still take advantage of them for malicious purposes. 

In total, 17% of vulnerabilities are considered malicious — such as backdoor variants — but these triggered only 0.2% of alerts, as they are most often found in abandoned or rarely-used packages. 

According to GitHub, 59% of active repositories on the platform will receive a security alert in the coming year. Over 2020, Ruby and JavaScript have been the most likely to receive an alert. 

Defining the ‘worst’ open source vulnerabilities of 2020 is not an easy task as it depends on the reach of impact — on users and repositories — exploitability, and other factors. Some bugs may immediately come to mind, including Zerologon (CVE-2020-1472) and SMBGhost (CVE-2020-0796), but when it comes to project maintainers, GitHub has named a prototype
Pollution in lodash as a top vulnerability. 

Tracked as CVE-2020-8203 and issued a severity score of 7.4, the RCE security flaw alone has been responsible for over five million GitHub Dependabot alerts due to lodash being one of the most widely-used and popular npm packages. 

The open source community now plays a key role in the development of software, but as with any other industry, vulnerabilities are going to exist. GitHub says that project developers, maintainers, and users should check their dependencies for vulnerabilities on a regular basis and should consider implementing automated alerts to remedy security issues in a more efficient and rapid way. 

«Open source is critical infrastructure, and we should all contribute to the security of open source software,» the organization added. «Using automated alerting and patching tools to secure software quickly means attack surfaces are evolving, making it harder for attackers to exploit.»

BELT.ES no se hace responsable de las opiniones de los artículos reproducidos en nuestra Revista de Prensa, ni hace necesariamente suyas las opiniones y criterios expresados. La difusión de la información reproducida se realiza sin fines comerciales. 

Listado de Expertos

Recomendado

Profesión militar: Obediencia debida frente a la obligación de disentir

Con ocasión de la realización de estudios en el Instituto Universitario Gutiérrez Mellado tuve la ocasión de leer y analizar una serie de documentos de opinión que trataban en profundidad las diferentes facetas presentes en el campo de las relaciones cívico-militares; temas que , habitualmente, no han estado presentes en los diferentes cursos y actividades formativas en la enseñanza militar, ni, por supuesto, en la civil.

El amor de Macarena Olona por la Guardia Civil empieza por su pareja, un joven oficial condecorado

El padre de su hijo llegó a la Benemérita como militar de carrera y, los que le...

La artillería ‘made in USA’ comprada por Marruecos que deja fuera de juego a España

El país magrebí sigue reforzando sus fuerzas armadas a golpe de talonario, y no lo hace de...

Últimas noticias

La exigencia de ser alumno en la Academia de Artillería

El Colegio de Artillería del Alcázar fue designado como tal centro formativo el 29 de enero de...

El impresionante y olvidado resurgir de España con Felipe V

Desperta Ferro edita en castellano la obra de referencia del hispanista Christopher Storrs, donde prueba que la Monarquía Hispánica reivindicó un lugar...

Los 30 años del Samur: de «cinco o seis sanitarios» a «salvar 25.000 vidas»

"Quisimos que las Urgencias llegaran al ciudadano", dice Javier Quiroga, uno de los impulsores de este servicio que nació en 1992.

París 2024 no tendrá fútbol en Saint-Denis tras el escándalo de la final de la Champions League

El escándalo antes del Liverpool - Real Madrid supuso que la organización de los Juegos Olímpicos tome medidas. El atletismo sigue previsto...

Emperadores de HISPANIA

Trajano, Adriano. Marco Aurelio y Teodosio en la forja del Imperio Romano "Es una tierra bendecida": el poder de...