If you want to help grow awareness around securing open source software, take the State of Open Source Survey.
Why it is important, you ask? Every year numerous security vulnerabilities are reported across multiple ecosystems. This report, since 2017, has been a go-to aggregation point of security concerns across application libraries in PyPi, Go (aka Golang), npm, Maven Central, and PHP Packagist.
Analysis of last year's report shows rapid growth of vulnerabilities across all of these programming languages (Python, Go, Node.js, Java, PHP). As part of our research, we turn to the community to share their perspectives through our State of Open Source Security survey.
Vulnerabilities by Ecosystem graph from State of Open Source Security 2019 Report
When looking at vulnerabilities, we not only want to understand the sheer number but also the criticality of the vulnerabilities being discovered. We saw a somewhat encouraging trend, where the proportion of high to medium severity vulnerabilities reported shifted toward less risky medium severity vulnerabilities.
However, just as we seemingly started to be improving security posture and reducing the criticality of vulnerabilities, new attack vectors always arise, and that is why the 2019 report started to take a look at some of the key trends in vulnerabilities around container images.
We looked at the known vulnerabilities in the system libraries within some of the most popular images on Docker Hub. We found that the average number of vulnerabilities was quite high but in particular Node.js libraries included in these images tended to be significantly vulnerable. If there was a silver lining to be found in this it was that 44% of the vulnerabilities could be fixed by swapping the base image for a less vulnerable version.
One other key element for understanding the overall state of security across the open source ecosystem is to understand how long it takes for maintainers to address reported vulnerabilities and provide a fix. Looking at some of the most popular packages in npm we found that time to fix ranged from 289 days to over 2,000 days!
Grow security research by responding to the survey
Your responses to this survey help my team better understand the challenges our community faces and guides our research, which leads to better research into security improvements for all of open source software. Coupled with data we gather and analyze from our platforms and those of our partners, we will once again release this free report to the community. This year we’re expanding our focus to get even greater detail in terms of cloud native technologies such as containers, orchestration tools, and infrastructure as code.
Take the survey here, and thank you for everyone you do for the open source community.