The state of security in open source | Opensource.com

The state of security in open source

The security of open source software is ever-changing. Contribute to the State of Open Source Security survey to help it improve.

Security monster
x

Subscribe now

Get the highlights in your inbox every week.

If you want to help grow awareness around securing open source software, take the State of Open Source Survey

Why it is important, you ask? Every year numerous security vulnerabilities are reported across multiple ecosystems. This report, since 2017, has been a go-to aggregation point of security concerns across application libraries in PyPi, Go (aka Golang), npm, Maven Central, and PHP Packagist.

Analysis of last year's report shows rapid growth of vulnerabilities across all of these programming languages (Python, Go, Node.js, Java, PHP). As part of our research, we turn to the community to share their perspectives through our State of Open Source Security survey.

Vulnerabilities by Ecosystem graph from State of Open Source Security 2019 Report

When looking at vulnerabilities, we not only want to understand the sheer number but also the criticality of the vulnerabilities being discovered. We saw a somewhat encouraging trend, where the proportion of high to medium severity vulnerabilities reported shifted toward less risky medium severity vulnerabilities.

However, just as we seemingly started to be improving security posture and reducing the criticality of vulnerabilities, new attack vectors always arise, and that is why the 2019 report started to take a look at some of the key trends in vulnerabilities around container images.

We looked at the known vulnerabilities in the system libraries within some of the most popular images on Docker Hub. We found that the average number of vulnerabilities was quite high but in particular Node.js libraries included in these images tended to be significantly vulnerable. If there was a silver lining to be found in this it was that 44% of the vulnerabilities could be fixed by swapping the base image for a less vulnerable version.

One other key element for understanding the overall state of security across the open source ecosystem is to understand how long it takes for maintainers to address reported vulnerabilities and provide a fix. Looking at some of the most popular packages in npm we found that time to fix ranged from 289 days to over 2,000 days!

Grow security research by responding to the survey

Your responses to this survey help my team better understand the challenges our community faces and guides our research, which leads to better research into security improvements for all of open source software. Coupled with data we gather and analyze from our platforms and those of our partners, we will once again release this free report to the community. This year we’re expanding our focus to get even greater detail in terms of cloud native technologies such as containers, orchestration tools, and infrastructure as code.

Take the survey here, and thank you for everyone you do for the open source community.

About the author

Alyssa Miller Bio Photo
Alyssa Miller - Alyssa Miller (CISM) is a life-long hacker, application security advocate, and public speaker with almost 15 years of experience in security roles. She has always had a passion for deconstructing technology, particularly since buying her first computer at the age of 12 teaching herself BASIC programming. She transitioned to security after 10 years as a developer for a large financial services firm. Alyssa has performed all forms of security assessments but given her developer background, she...