Counting Vulnerabilities In Open Source Projects and Programming Languages |
Written by Alex Armstrong |
Thursday, 18 April 2019 |
The number of disclosed open source vulnerabilities skyrocketed in 2017, reaching a total of almost 3,500. Mozilla was the open source projects with the most vulnerabilities and C/C++ was the most vulnerable language. To provide this information, WhiteSource - a company that sells software which monitors open source components to provide alerts about security and licensing issues -.conducted a survey of 650 developers from the US and Western Europe about their practices and challenges of open source usage. They also collected data from the NVD, the United State's national vulnerability database, together with security advisories, peer-reviewed vulnerability databases, issue trackers and more, to gather insights into open source vulnerability management. The statistics they presented in the The State of Open Source Vulnerability Management Report showed that the number of disclosed open source software vulnerabilities in 2017 rose by over 50% compared to 2016. In 2018 the number of reported vulnerabilities fell slightly on 2017 but confirmed the upward trend: Looking at the distribution of vulnerabilities among popular open source projects, Mozilla Firefox tops the list, closely followed by Linux: With regard to languages C/C++ tops comes top by a long margin: Commenting on this finding in a recent post on the WhiteSource blog, Ayala Goldstein writes: This is not to say that C is less secure than the other languages. The high number of open source vulnerabilities in C can be explained by several factors. For starters, C has been in use for longer than any of the other languages we researched and has the highest volume of written code. It is also one of the languages behind major infrastructure like Open SSL and the Linux kernel. This winning combination of volume and centrality explains the high number of known open source vulnerabilities in C. The blog post also did an analysis by language over time, noting the substantial rise in known open source security vulnerabilities, across all languages over the past two years: Commenting on this Goldstein writes: This rise can be explained by the rise in awareness of known security vulnerabilities in open source components, along with the continuously growing popularity of open source. As more resources have been invested in open source security research, the number of issues discovered has increased. The use of automated tools and the growing investment in bug bounty programs have further contributed to the sharp rise in the amount of disclosed open source security vulnerabilities. Goldstein then focused on high severity open source security vulnerabilities (scores above 7 according to CVSS v2) by language over time: Comparing this with the previous chart JavaScript and PHP stand it is clear that the percentage of critical vulnerabilities is declining in most of the languages covered in the report, except for JavaScript and PHP. Commenting on this Goldstein writes: The decrease in the percentage of critical vulnerabilities could be a result of the concerted effort from security researchers to use automated tools to discover vulnerabilities in open source components. These tools are usually less capable of finding more complex and critical issues. While many of these tools are doing a good job of discovering vulnerabilities, many of the issues are not critical, and so we see a rise in the number of mostly medium vulnerabilities over the past few years in most of the programming languages that we studied.
|
Last Updated ( Thursday, 18 April 2019 ) |