lunes, 6 febrero 2023
Visitas totales a la web: 88326648

El portal de los profesionales de seguridad y emergencias

Nº 1 del mundo en español en seguridad global

Soluciones de seguridad global

Open source software security vulnerabilities exist for over four years before detection

It can take an average of over four years for vulnerabilities in open source software to be spotted, an area in the security community that needs to be addressed, researchers say. 

According to GitHub’s annual State of the Octoverse report, published on Wednesday, reliance on open source projects, components, and libraries is more common than ever. 

Over the course of 2020, GitHub tallied over 56 million developers on the platform, with over 60 million new repositories being created — and over 1.9 billion contributions added — over the course of the year. 

«You would be hard-pressed to find a scenario where your data does not pass through at least one open source component,» GitHub says. «Many of the services and technology we all rely on, from banking to healthcare, also rely on open source software. The artifacts of open source code serve as critical infrastructure for much of the global economy, making the security of open source software mission-critical to the world.»

GitHub launched a deep-dive into the state of open source security, comparing information gathered from the organization’s dependency security features and the six package ecosystems supported on the platform across October 1, 2019, to September 30, 2020, and October 1, 2018, to September 30, 2019.

Only active repositories have been included, not including forks or ‘spam’ projects. The package ecosystems analyzed are Composer, Maven, npm, NuGet, PyPi, and RubyGems. 

In comparison to 2019, GitHub found that 94% of projects now rely on open source components, with close to 700 dependencies on average. Most frequently, open source dependencies are found in JavaScript — 94% — as well as Ruby and .NET, at 90%, respectively. 

On average, vulnerabilities can go undetected for over four years in open source projects before disclosure. A fix is then usually available in just over a month, which GitHub says «indicates clear opportunities to improve vulnerability detection.»

However, the majority of bugs in open source software are not malicious. Instead, 83% of the CVE alerts issued by GitHub have been caused by mistakes and human error — although threat actors can still take advantage of them for malicious purposes. 

In total, 17% of vulnerabilities are considered malicious — such as backdoor variants — but these triggered only 0.2% of alerts, as they are most often found in abandoned or rarely-used packages. 

According to GitHub, 59% of active repositories on the platform will receive a security alert in the coming year. Over 2020, Ruby and JavaScript have been the most likely to receive an alert. 

Defining the ‘worst’ open source vulnerabilities of 2020 is not an easy task as it depends on the reach of impact — on users and repositories — exploitability, and other factors. Some bugs may immediately come to mind, including Zerologon (CVE-2020-1472) and SMBGhost (CVE-2020-0796), but when it comes to project maintainers, GitHub has named a prototype
Pollution in lodash as a top vulnerability. 

Tracked as CVE-2020-8203 and issued a severity score of 7.4, the RCE security flaw alone has been responsible for over five million GitHub Dependabot alerts due to lodash being one of the most widely-used and popular npm packages. 

The open source community now plays a key role in the development of software, but as with any other industry, vulnerabilities are going to exist. GitHub says that project developers, maintainers, and users should check their dependencies for vulnerabilities on a regular basis and should consider implementing automated alerts to remedy security issues in a more efficient and rapid way. 

«Open source is critical infrastructure, and we should all contribute to the security of open source software,» the organization added. «Using automated alerting and patching tools to secure software quickly means attack surfaces are evolving, making it harder for attackers to exploit.»

BELT.ES no se hace responsable de las opiniones de los artículos reproducidos en nuestra Revista de Prensa, ni hace necesariamente suyas las opiniones y criterios expresados. La difusión de la información reproducida se realiza sin fines comerciales. 

Listado de Expertos

Recomendado

Profesión militar: Obediencia debida frente a la obligación de disentir

Con ocasión de la realización de estudios en el Instituto Universitario Gutiérrez Mellado tuve la ocasión de leer y analizar una serie de documentos de opinión que trataban en profundidad las diferentes facetas presentes en el campo de las relaciones cívico-militares; temas que , habitualmente, no han estado presentes en los diferentes cursos y actividades formativas en la enseñanza militar, ni, por supuesto, en la civil.

El amor de Macarena Olona por la Guardia Civil empieza por su pareja, un joven oficial condecorado

El padre de su hijo llegó a la Benemérita como militar de carrera y, los que le...

La artillería ‘made in USA’ comprada por Marruecos que deja fuera de juego a España

El país magrebí sigue reforzando sus fuerzas armadas a golpe de talonario, y no lo hace de...

Últimas noticias

El Plan de seguridad. (El Esperado modelo estatal para eventos)

La seguridad de un evento deportivo o recreativo requiere objetivos, planificación, dotación, implantación y evaluación de resultados.

Sistemas de Extinción por Gas: Manual Práctico para el Diseño, Instalación y Mantenimiento

Este Documento Técnico tiene como objetivo dar a conocer las peculiaridades de los Sistemas de Extinción por Gas, sus puntos fuertes y...

A CSO’s challenge for building a global risk strategy

Without a strategy, security plans are almost impossible to implement, and C-suite engagement can be jeopardized Global security risks...

Este timbre para bicicletas es el lugar perfecto para esconder un AirTag sin que los ladrones lo sepan

Los AirTags de Apple desbancaron con su nacimiento al resto de opciones del mercado entre los usuarios de Apple. Esta solución de rastreo se...

Este timbre para bicicleta es el lugar perfecto para esconder un AirTag sin que los ladrones lo sepan

Bajo un timbre o un portabotellas, esta compañía ha ideado unos escondites para colocar los rastreadores a prueba de robos y pérdidas.