Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

6/25/2020
12:30 PM
100%
0%

Vulnerabilities Declining in Open Source, but Slow Patching Still a Problem

Even as more code is produced, indirect dependencies continue to undermine security.

Driven by growth in the JavaScript, Java, and Python ecosystems, the number of open source software packages more than doubled in 2019, but the number of vulnerabilities fell by 20%, suggesting that developers are weeding out simple vulnerabilities, a new report shows. 

While the decrease is undoubtedly good news, most development teams still fail to adequately inventory their software dependencies — a point of concern because indirect dependencies, meaning libraries used by imported code — can account for the majority of vulnerabilities. More than 70% of vulnerabilities in Node.js, Ruby, and Java, for example, occur in indirect dependencies, not in the original imported open source library, according to the "State of Open Source Security 2020" report, published today by software security firm Snyk.

In one case, a Java application comprised 80 lines of code with seven dependencies, but when all of the code was imported, the code base expanded to 59 sub-dependencies and more than 700,000 lines of code, says Alyssa Miller, application security advocate at Snyk.

"You don't even necessarily know that all those dependencies are there, but they are undermining your security," she says.

As open source software components have become arguably the most important part of software development, managing the vulnerabilities posed by those components has become a major task for companies. Almost every software program uses open source software, with the average application using 445 open source components, according to a recent study by Synopsys.

Acknowledging this, the Internet Security Forum (ISF) released its "Deploying Open Source Software: Challenges and Rewards" report today, highlighting best practices for companies using open source software in development.

"Many organizations are adopting agile and DevOps methodologies, which is driving an increased uptake of OSS [open source software] and, in turn, the creation of new mixed-source applications," stated Paul Holland, principal research analyst at the ISF. "The growing prevalence of OSS needs to be balanced by a concerted effort to manage its use appropriately and effectively."

Different programming languages and their associate application frameworks have different considerations when it comes to securing the software. PHP applications tend to use a relatively low number of open source libraries — 34, on average — but have a higher number of vulnerabilities, according to data analyzed by application security firm Veracode.

In the latest report by Snyk, the company found that the popularity of JavaScript-based web-application frameworks continued to grow as more developers relied on JavaScript and Node.js. The survey component of the study found 73% of developers used JavaScript-based platforms. The popularity drove Node.js applications managed by the NPM platform to more than double to 13 million packages. 

The wide reliance of JavaScript programs on imported code — the average applications has 377 dependencies, according to Veracode — means more indirect dependencies. In its analysis, Snyk found 86% of JavaScript vulnerabilities occurred in indirect dependencies. 

"There is a lot of factors that can come into play here. NPM has a pretty significant drop in the number of vulnerabilities, but they also have a solid backlog of vulnerabilities that they are investigating, which is causing delayed fixes," Miller says.

Two classes of vulnerability demonstrate the unique nature of open source software and dependencies, where vulnerability types tend to result in a lot of reported issues or are widespread, but generally not both.

A significant number of open source software project suffered attacks in the form of malicious changes to the project, according to the report. A malicious change typically happens when a rogue developer — often an agent of a nation-state or cybercriminal gang — joins a project to introduce a vulnerability. Yet, while critical in severity, such malicious changes did not impact very many projects.  

On the other hand, with a class of JavaScript vulnerabilities known as prototype pollution, thousands of packages can be affected by a single vulnerability. Two prototype pollution vulnerabilities affected the security of more than 25% of scanned projects, Snyk said in its report. Prototype pollution can allow code in a malicious object to overwrite the prototype class behavior, polluting all other classes that rely on that behavior. The vulnerability class is not well-known, but a single issue can often have widespread impact.

"They are difficult to find," Miller says. "I think that is the reason we see a low number of them. It is not a well-understood vulnerability at this point."

Finally, software container images — Docker being the most popular example — often pool together vulnerable software and should be investigated, Snyk said. The most recent version of the Node server, at the time of the report, had more than 642 known vulnerabilities in the software contained in the image, including 17 high vulnerabilities, the company said.

"Companies need to try to minimize the software footprint of these images," Miller says. "If you pull Node-Slim [the stripped down version of the Node server], then you lose 95% of the vulnerabilities. So if you don't need the full-blown image, choose the minimal version."

Related Content:

 

 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register for this On-Demand event. 
 
Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
6 Ways Passwords Fail Basic Security Tests
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/28/2020
'Act of War' Clause Could Nix Cyber Insurance Payouts
Robert Lemos, Contributing Writer,  10/29/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How to Measure and Reduce Cybersecurity Risk in Your Organization
In this Tech Digest, we examine the difficult practice of measuring cyber-risk that has long been an elusive target for enterprises. Download it today!
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27014
PUBLISHED: 2020-10-30
Trend Micro Antivirus for Mac 2020 (Consumer) contains a race condition vulnerability in the Web Threat Protection Blocklist component, that if exploited, could allow an attacker to case a kernel panic or crash. An attacker must first obtain the ability to execute high-privileged code on the targ...
CVE-2020-27015
PUBLISHED: 2020-10-30
Trend Micro Antivirus for Mac 2020 (Consumer) contains an Error Message Information Disclosure vulnerability that if exploited, could allow kernel pointers and debug messages to leak to userland. An attacker must first obtain the ability to execute high-privi...
CVE-2020-27885
PUBLISHED: 2020-10-29
Cross-Site Scripting (XSS) vulnerability on WSO2 API Manager 3.1.0. By exploiting a Cross-site scripting vulnerability the attacker can hijack a logged-in user’s session by stealing cookies which means that a malicious hacker can change the logged-in user’s pass...
CVE-2020-25646
PUBLISHED: 2020-10-29
A flaw was found in Ansible Collection community.crypto. openssl_privatekey_info exposes private key in logs. This directly impacts confidentiality
CVE-2020-26205
PUBLISHED: 2020-10-29
Sal is a multi-tenanted reporting dashboard for Munki with the ability to display information from Facter. In Sal through version 4.1.6 there is an XSS vulnerability on the machine_list view.