THE STATE OF OPEN SOURCE VULNERABILITIES MANAGEMENT

Download the Report

Open source usage has become a mainstream practice — it’s impossible to keep up with today’s pace of software production without it. The rise in open source usage has led to a dramatic rise in open source vulnerabilities, demanding that development teams address the rapidly evolving issue of open source security.

The State of Open Source Vulnerability Management drills down into the deeper layers of open source management. Surveying over 650 developers and collecting data from the NVD, security advisories, peer-reviewed vulnerability databases, and popular open source issue trackers, this report brings the latest in open source security management. Our mission is to determine where we are as an industry to know where we can go in years to come.

Open source vulnerability management report

Key Findings:

1
A significant rise in the number of open source vulnerabilities presents a serious challenge to development and security teams striving to meet security objectives.
2
Developers spend a lot of time addressing open source vulnerabilities, but the absence of standard practices and developer-focused tools result in inefficient use of time.
3
A prioritization strategy for open source vulnerabilities is critical to ensure companies address the most urgent issues on time.
4
A solid prioritization practice for open source vulnerability remediation can reduce security alerts by 70% to 80%.
chapter-number

OPEN SOURCE SECURITY VULNERABILITIES ARE ON THE RISE

Key Takeaway:
A significant rise in the number of open source security vulnerabilities presents a serious challenge to development and security teams striving to meet security objectives.
Open source software vulnerabilities are on the rise

The number of disclosed open source vulnerabilities skyrocketed in 2017, reaching almost 3,500 reported vulnerabilities.

According to the WhiteSource database, aggregated from the NVD, security advisories, peer-reviewed vulnerability databases, and popular open source issue trackers, the number of disclosed open source software vulnerabilities in 2017 rose by over 60% as compared to 2016. We can see this trend continues in 2018.

This can be attributed to the software development community’s focus on open source security following the widespread adoption of open source components and heightened awareness of security vulnerabilities due to publicized data breaches.

Number of Reported Open Source Software Vulnerabilities Rose by 51.2% in 2017

WhiteSource conducted a survey encompassing 650 developers from the US and Western Europe, asking about their practices and the challenges of open source usage.

According to survey results, only a negligible percentage of developers do not use open source components, probably as a matter of company policy. The developers that use open source, rely on them regularly.

96.8 %
of developers rely on open source components and are therefore heavily affected by the recent rise in the number of known vulnerabilities.

Frequency of use in open source components

The risks are even more severe, since the majority of disclosed open source software vulnerabilities lie in a limited number of projects – the most popular ones!

The more popular an open source project is, the larger its community and the more ‘eyeballs’ it garners from security researchers. With more contributors looking at it, more security and quality issues are discovered and made public every month.

According to WhiteSource’s database, 7.5% of all open source projects are vulnerable. Of the 100 most popular projects, 32% are vulnerable.

While one vulnerability is enough to put multiple libraries at risk, vulnerable open source projects contain 8 vulnerabilities on average.

32%
of the top 100 projects have at least one vulnerability

The list of top 10 open source projects with the highest number of known open source vulnerabilities includes projects we are all familiar with and many of our products depend on.

It’s no coincidence that the majority of these projects are internet facing front-end components with large attack surfaces that are very exposed, making them relatively easy to exploit and therefore attracting a lot of focus.

Another interesting fact here is that there are commercial companies behind most of these projects. Remember that a high number of reported vulnerabilities usually implies that a project is properly maintained by its community, and not an indication of poor security standards.

 

Top 10 Vulnerable Open Source Projects Based on Number of Vulnerabilities

Open Source Projects # of vulnerabilties
Mozilla Firefox 1470
Linux 1249
Chromium 602
Wireshark 549
Oracle Java SE 531
PHP 486
Moodle 451
ImageMagick 415
FFmpeg 281
WordPress 245

In our list of most vulnerable languages, C/C++ get first place by a considerable margin with 41% of all reported vulnerabilities. JavaScript, one of the most popular programming languages in use, only takes 4th place, with a mere 7% of vulnerabilities.

Top 7 languages with the highest Number of Vulnerabilities
Language % of vulnerabilities
C/C++ 41%
PHP 17%
Java 8%
JavaScript 7%
Pyton 6%
Ruby 4%
C# 1%
But, it’s not all bad.

The rise in security awareness also led to a sharp boost in the number of suggested fixes offered by the community, usually published
within days of the release date.

97.4 %
of all reported vulnerabilities have at least one suggested fix in the open source community

Unfortunately, while the open source community is doing a great job securing open source projects, users are unable to fully benefit from their efforts.

The problem is that information about vulnerabilities is not published in one centralized location, rather scattered across hundreds of resources and usually poorly indexed and therefore unsearchable.

This presents an ongoing challenge for developers with detecting open source components with known vulnerabilities.

only
86 %
of reported open source vulnerabilities appear in the CVE database
folder
bg
chapter-number

Developers Are Inefficient When It Come to Open Source Remediation

Key Takeaway:
Developers spend a lot of time addressing open source vulnerabilities, but the absence of standard practices for open source vulnerability management and developer-focused tools result in inefficient use of time.

The rise in open source vulnerabilities has not gone unnoticed by developers. Our survey clearly shows that developers have come to consider open source security vulnerabilities as their #1 challenge when using open source.

26% of developers rated security vulnerabilities as the top challenge posed by open source components. Open source software vulnerabilities were ranked above integration, functionality, licensing and selection. Larger organizations, in particular, are more concerned with open source security.

#1 Challenges in Using Open Source Components

This concern has become a costly issue, with developers spending almost 15 hours each month dealing with open source vulnerabilities (e.g., reviewing, discussing, addressing and remediating).

Hours Spent per Month Handling Open source Vulnerabilities

The cost goes even higher when we consider that the more experienced developers are usually the ones tasked with remediating open source vulnerabilities.

Hours Spent on Open source Vulnerabilities per Developers’ Experience

The WhiteSource survey also shows that 15 hours per month of developers’ time goes into addressing open source security vulnerabilities, as compared with only 3.8 hours monthly for their actual remediation.

The absence of standard practices became apparent when developers were asked what they do when a vulnerability is discovered, and provided numerous answers with no clear practice.

The lack of set practices when attending to newly discovered vulnerabilities explains the inefficient use of time when addressing open source vulnerabilities.

What Do You Do When a vulnerability is found?

 

Developers are spending almost 15 hours each month dealing with open source vulnerabilities
chapter-number

Prioritization is Key to Open Source Vulnerability Management

Key Takeaway:
A prioritization strategy for open source vulnerabilities is critical to ensure companies address the most urgent issues on time.

Inefficient remediation practices for security vulnerabilities is becoming a prime concern considering security teams get overwhelmed with alerts on a daily basis.

Top industry experts agree that attempting to solve every single issue is impossible, and that prioritization is key to efficient open source vulnerability management.

quote

Perfect security is impossible. Zero risk is impossible. We must bring continuous risk and trust-based assessment and prioritization of application vulnerabilities to DevSecOps. In a futile attempt to remove all possible vulnerabilities from applications, we are slowing developers down and wasting their time chasing issues that aren’t real (false positives) or addressing lower-risk vulnerabilities that are real, but not directly or easily exploitable.

10 Things to Get Right for Successful DevSecOps
Neil MacDonald | Gartner
quote

Survey results show that developers lack standardized best practices for prioritizing open source vulnerabilities.

Results also indicate that developers often look to the most readily available data when prioritizing remediation, like the criticality of an application or the availability of a fix. However, developers tend to prioritize based on available data and not necessarily the correct one.

In the race against hackers, time is of the essence. Especially when it comes to open source vulnerabilities where data is public.

Therefore, lack of vulnerability prioritization leads to inefficient use of resources, when developers are investing time on the “wrong” vulnerabilities.

Developers are Lacking Standard Practices to Prioritize Open Source Vulnerabilities

A new approach to prioritizing open source vulnerabilities should be based on the impact on the product’s security.

A vulnerable functionality does not necessarily make a project vulnerable, since the proprietary code may not be making calls to that functionality (i.e. making it ineffective).

Determining whether a vulnerability poses an actual risk by understanding its effectiveness, can save security and development teams precious time.

After testing 2,000 Java applications, WhiteSource found that 72% of all vulnerabilities detected in these applications were deemed ineffective.

Analyzing effective vs. ineffective vulnerabilities demonstrates how powerful prioritization based on effectiveness is. Data proves that the number of open source vulnerabilities alerts can be reduced by 70%.

Based on the data collected in our survey, this can be translated to saving 10.5 hours per month per each developer (70% of 15 monthly hours).

Organizations that adopt prioritization practices can salvage precious development time and improve the security of their products with quicker remediation of critical issues.

chapter-number

Effective Usage Analysis

Key Takeaway:
A solid prioritization practice for open source vulnerability remediation can reduce security alerts by 70% to 80%.
ALL
analyzed projects were found be vulnerable, with at least one open source vulnerability. On average, each project contained 8.2 vulnerable libraries.
90 %
of the vulnerabilities (effective and ineffective) were found in transitive dependencies, which emphasizes the importance of accurate open source inventory tracking for security purposes.
84 %
of all open source vulnerabilities alerts were found to be ineffective, having no impact on the security of the products.
64 %
of all analyzed projects were found to contain only ineffective open source vulnerabilities, and therefore did not require any remediation efforts.

WhiteSource recently launched a new technology for prioritizing open source vulnerabilities based on the way they are used by the application – Effective Usage Analysis.

Our beta testing on 25 commercial applications from 12 organizations showed that:

only
15.8%
were found to be effective

 

The volume of ineffective open source vulnerabilities found shows that the time and effort organizations currently invest in research and remediation of open source vulnerabilities can be greatly reduced.

The Effective Usage Analysis technology helped development teams save time by locating and focusing their resources on the effective vulnerabilities that required immediate attention. Team leaders and managers testified that the new technology:

  • Enables effortless prioritization of open source vulnerabilities by classifying them visually according to their impact on the project’s security.
  • Facilitates remediation of open source vulnerabilities by identifying the file and line numbers of direct and indirect calls made from proprietary code to open source vulnerabilities.
  • In addition to handling a significantly lower number of vulnerabilities, an additional 10%-20% of the time developers invest in remediation was saved.
quote

The best thing about this new technology is being able to prioritize which vulnerabilities need to be remediated first. It’s been easier tackling the vulnerabilities in our products with a technology that is so easy and scalable.

Senior Director Application Information Security, IGT
quote

After seeing the dramatic results of our beta testing, we have no doubt that implementing Effective Usage Analysis on our entire code will be a breakthrough in both reducing effort and improving our results when dealing with open source security vulnerabilities.

CIO, VP IT & DevOps, ECI Telecom
quote

Effective Usage Analysis gives us the added value of faster remediation, with trace analysis that pinpoints the exact location of vulnerable dependencies. This new capability enables us to significantly cut down on the time our developers spend dealing with open source vulnerability alerts.

Senior Release Manager, ForgeRock

About WhiteSource

WhiteSource’s vision is to empower businesses to develop better software, by securing and managing the open source components in their software.

A trusted leader in Software Composition Analysis, WhiteSource helps industry giants like Microsoft, IBM, Comcast and hundreds more to harness the power of open source with their continuous open source security and license compliance management solution.

Founded in 2011.
Offices in NY,
Boston and Tel-Aviv

500+
Customers

Empowering over
1.2M
developers

Supporting
23%
of Fortune 100

Over 300%
growth YoY for 3
consecutive years