8
English
Afrikaans
Albanian
Amharic
Arabic
Armenian
Azerbaijani
Basque
Belarusian
Bengali
Bosnian
Bulgarian
Catalan
Cebuano
Chichewa
Chinese (Simplified)
Chinese (Traditional)
Corsican
Croatian
Czech
Danish
Dutch
Esperanto
Estonian
Filipino
Finnish
French
Frisian
Galician
Georgian
German
Greek
Gujarati
Haitian Creole
Hausa
Hawaiian
Hebrew
Hindi
Hmong
Hungarian
Icelandic
Igbo
Indonesian
Irish
Italian
Japanese
Javanese
Kannada
Kazakh
Khmer
Korean
Kurdish (Kurmanji)
Kyrgyz
Lao
Latin
Latvian
Lithuanian
Macedonian
Malagasy
Malay
Malayalam
Maltese
Maori
Marathi
Mongolian
Myanmar (Burmese)
Nepali
Norwegian
Pashto
Persian
Polish
Portuguese
Punjabi
Romanian
Russian
Samoan
Scottish Gaelic
Serbian
Sesotho
Shona
Sindhi
Sinhala
Slovak
Slovenian
Somali
Spanish
Sudanese
Swahili
Swedish
Tajik
Tamil
Telugu
Thai
Turkish
Ukrainian
Urdu
Uzbek
Vietnamese
Welsh
Xhosa
Yiddish
Yoruba
Zulu
New research from RiskSense has revealed that the number of security vulnerabilities in open source software more than doubled last year.To compile its new report titled The Dark Reality of Open Source, the firm used data from 54 open source projects dating all the way back to 2015 until the first three months of 2020 to discover a total of 2,694 Common Vulnerabilities and Exposures (CVEs).RiskSense's report found the total number of vulnerabilities in open source software reached 968 last year which is up by more than 50 percent from the 421 CVEs found in 2018.
In a press release, CEO of RiskSense, Srinivas Mukkamala provided further insight on the report's findings, saying:While open source code is often considered more secure than commercial software since it undergoes crowdsourced reviews to find problems, this study illustrates that OSS vulnerabilities are on the rise and may be a blind spot for many organizations.
Since open source is used and reused everywhere today, when vulnerabilities are found, they can have incredibly far-reaching consequences.RiskSense's study also revealed how long it takes for open source software vulnerabilities to be added to the National Vulnerability Database (NVD).
On average it takes 54 days from a vulnerability being publicly disclosed for it to be included in the NVD.This delay has serious consequences for businesses as they can remain exposed to serious application security risks for almost two months.
These delays were also observed across all severities including vulnerabilities that were rated as critical and those that were being actively exploited in the wild.Of the open source projects analyzed in the report, the Jenkins automation server had the most CVEs overall with 646 and this was closely followed by MySQL with 624.
These two projects also tied for the most weaponized vulnerabilities with 15 each.When it came to weaponization, cross-site scripting (XSS) and Input Validation weaknesses were both some of the most common and most weaponized types of vulnerabilities in RiskSense's study.
XSS issues were the second most common type of vulnerability but they were the most weaponized while Input Validation issues were the third most common and second most weaponized.There are many benefits of using open source software though RiskSense's report shows that managing vulnerabilities in their libraries can pose unique challenges for businesses and developers.
