contact us

Is Open Source Your Risk-Based Blind Spot?

by Jun 8, 2020

Is Open Source Your Risk-Based Blind Spot?

Open source software has become an integral part of virtually every aspect of modern applications and application development. It’s currently estimated that open source code makes up between 80% and 90% of the code in modern applications. Likewise, open source projects like Docker, Kubernetes, Jenkins, Ansible and dozens of others have become indispensable to the way that applications are developed, tested, and deployed. The widespread popularity of open source has also led to a spike in open source vulnerabilities in organizations. Unfortunately, a recent study recently found that more than 90% of business applications have outdated or insecure open source components.

And as the open source attack surface has grown, it should be no surprise that threats have likewise set their sites on weaknesses in these projects. Vulnerabilities in Elasticsearch and SaltStack have recently been used in cryptomining and other malware attacks. Active campaigns have been observed targeting the recent Ghostcat vulnerability, which allows attackers to potentially take over vulnerable instances of Apache Tomcat. Open source vulnerabilities have been tied to DDoS, Docker escapes, ransomware attacks, and e-commerce attacks.

Yet for many organizations, open source vulnerabilities are a blind spot in their risk management efforts. With this in mind, we have focused our latest research specifically on OSS vulnerabilities and published the results in our Spotlight Report, The Dark Reality of Open Source. The analysis includes a variety of insights that you can start using today including:

  • Recent trends in open source vulnerabilities
  • The vulnerabilities that are trending in real-world attacks
  • How OSS vulnerabilities take much longer to show up in the NVD
  • The OSS projects that have the most vulnerabilities and which are weaponized the most
  • The underlying weaknesses that lead to OSS vulnerabilities

Let’s take a quick look at some of the highlights.

OSS Vulnerabilities Double in 2019

In terms of volume, 2019 was the year of the open source vulnerability. In our analysis of 53 of the most popular OSS projects, we found that 2019 had more than twice as many vulnerabilities as any of the previous years. OSS vulnerabilities grew by 130% between 2018 and 2019, while the NVD averaged an only 8% growth in the same time frame. 2020 likewise remains on an historically high pace through the first 3 months of the year. This spike in OSS vulnerabilities, means that Dev, IT, and Security teams are going to need to be able to quickly prioritize the CVEs that really matter in the real world in order to keep from being overwhelmed.

Long Wait Times at the NVD

If you rely on the NVD for important context for vulnerabilities, you probably shouldn’t hold your breath when it comes to open source vulnerabilities. Analyzing across 2,694 vulnerabilities, we found that it took an average of 54 days between when a vulnerability was initially disclosed and when it was available in the National Vulnerability Database (NVD).

These long lag times were seen across all severities of CVEs as well as weaponized vulnerabilities. The longest observed lag was 1,817 days, tied to a PostgreSQL vulnerability (CVE-2015-0244), which is rated as a CVSS v3 Critical vulnerability with a score of 9.8.

Average lags times did vary considerably between open source projects, with some having almost no lag and others averaging hundreds of days of lag. Check out the full report for details for each OSS project.

Hone In On the Most Important OSS Vulnerabilities

While the report analyzed thousands of vulnerabilities, our analysis boiled down the dataset to a handful of specific CVEs that pose the greatest immediate risk to organizations. Of the 2,694 vulnerabilities, 89 were weaponized, 18 enabled remote code execution, and 6 were trending in active real-world attacks. In the report we highlight these trending vulnerabilities along with another 6 important vulnerabilities that pose the most risk based on their exploitability, use in the wild, and potential impact. We break these vulnerabilities out by their respective open source project including Docker, Elasticsearch, Git, JBoss, Jenkins, Kubernetes, Magento, and Apache Tomcat.

These are just a few of the insights you can find in the latest Spotlight Report. Be sure to check out the full report to see which projects had the most vulnerabilities, which were the most weaponized, analysis of risk severities, underlying weaknesses, and more.