sábado, 10 abril 2021
Visitas totales a la web: 86447770

El portal de los profesionales de seguridad y emergencias

Nº 1 del mundo en español en seguridad global

Soluciones de seguridad global

Open source software security vulnerabilities exist for over four years before detection

It can take an average of over four years for vulnerabilities in open source software to be spotted, an area in the security community that needs to be addressed, researchers say. 

According to GitHub’s annual State of the Octoverse report, published on Wednesday, reliance on open source projects, components, and libraries is more common than ever. 

Over the course of 2020, GitHub tallied over 56 million developers on the platform, with over 60 million new repositories being created — and over 1.9 billion contributions added — over the course of the year. 

“You would be hard-pressed to find a scenario where your data does not pass through at least one open source component,” GitHub says. “Many of the services and technology we all rely on, from banking to healthcare, also rely on open source software. The artifacts of open source code serve as critical infrastructure for much of the global economy, making the security of open source software mission-critical to the world.”

GitHub launched a deep-dive into the state of open source security, comparing information gathered from the organization’s dependency security features and the six package ecosystems supported on the platform across October 1, 2019, to September 30, 2020, and October 1, 2018, to September 30, 2019.

Only active repositories have been included, not including forks or ‘spam’ projects. The package ecosystems analyzed are Composer, Maven, npm, NuGet, PyPi, and RubyGems. 

In comparison to 2019, GitHub found that 94% of projects now rely on open source components, with close to 700 dependencies on average. Most frequently, open source dependencies are found in JavaScript — 94% — as well as Ruby and .NET, at 90%, respectively. 

On average, vulnerabilities can go undetected for over four years in open source projects before disclosure. A fix is then usually available in just over a month, which GitHub says “indicates clear opportunities to improve vulnerability detection.”

However, the majority of bugs in open source software are not malicious. Instead, 83% of the CVE alerts issued by GitHub have been caused by mistakes and human error — although threat actors can still take advantage of them for malicious purposes. 

In total, 17% of vulnerabilities are considered malicious — such as backdoor variants — but these triggered only 0.2% of alerts, as they are most often found in abandoned or rarely-used packages. 

According to GitHub, 59% of active repositories on the platform will receive a security alert in the coming year. Over 2020, Ruby and JavaScript have been the most likely to receive an alert. 

Defining the ‘worst’ open source vulnerabilities of 2020 is not an easy task as it depends on the reach of impact — on users and repositories — exploitability, and other factors. Some bugs may immediately come to mind, including Zerologon (CVE-2020-1472) and SMBGhost (CVE-2020-0796), but when it comes to project maintainers, GitHub has named a prototype
Pollution in lodash as a top vulnerability. 

Tracked as CVE-2020-8203 and issued a severity score of 7.4, the RCE security flaw alone has been responsible for over five million GitHub Dependabot alerts due to lodash being one of the most widely-used and popular npm packages. 

The open source community now plays a key role in the development of software, but as with any other industry, vulnerabilities are going to exist. GitHub says that project developers, maintainers, and users should check their dependencies for vulnerabilities on a regular basis and should consider implementing automated alerts to remedy security issues in a more efficient and rapid way. 

“Open source is critical infrastructure, and we should all contribute to the security of open source software,” the organization added. “Using automated alerting and patching tools to secure software quickly means attack surfaces are evolving, making it harder for attackers to exploit.”

BELT.ES no se hace responsable de las opiniones de los artículos reproducidos en nuestra Revista de Prensa, ni hace necesariamente suyas las opiniones y criterios expresados. La difusión de la información reproducida se realiza sin fines comerciales. 

Listado de Expertos

Recomendado

Profesión militar: Obediencia debida frente a la obligación de disentir

Con ocasión de la realización de estudios en el Instituto Universitario Gutiérrez Mellado tuve la ocasión de leer y analizar una serie de documentos de opinión que trataban en profundidad las diferentes facetas presentes en el campo de las relaciones cívico-militares; temas que , habitualmente, no han estado presentes en los diferentes cursos y actividades formativas en la enseñanza militar, ni, por supuesto, en la civil.

El paracaidista español que humilló a los «temibles» espías soviéticos

Joaquín Madolell, natural de Melilla y militar del Ejército del Aire, desarticuló la mayor red del espionaje...

El amor de Macarena Olona por la Guardia Civil empieza por su pareja, un joven oficial condecorado

El padre de su hijo llegó a la Benemérita como militar de carrera y, los que le...

Últimas noticias

Alaska, un erial que Rusia no dudó en vender

Españoles y británicos intentaron arrogarse este territorio, sobreexplotado por los rusos, que finalmente se deshicieron de él.

Un retén 24 horas atenderá las emergencias en las zonas verdes de Madrid

La Junta de Gobierno aprueba el nuevo contrato, que entrará en vigor en agosto, obligará a mantener una plantilla mínima de más...

Telefónica despide al jefe del negocio de ciberseguridad por un presunto fraude

Su salida y la de otros tres directivos se produjo antes de la remodelación completa de la cúpula de Telefónica Tech

Muere Dick Hoyt, el padre que convirtió a su hijo con parálisis cerebral en un Ironman

Juntos participaron en más de 1.000 carreras y triatlones, incluyendo 32 ediciones del Maratón de Boston Dick Hoyt participó en...

¿Qué puedo hacer para que no okupen mi casa?

La Policía Nacional elabora una guía de consejos y actuaciones para los propietarios ante la okupación ilegal de viviendas