Managing the Rise of Open Source Software Vulnerabilities

Introduction

Open Source Software (OSS) has had an enormous impact on the development of software within enterprises. Many stages in the software supply chain make use of OSS, and this creates cybersecurity risks that enterprises must address to withstand the ever-increasing threat of being breached by hackers.

This report focuses on OSS security, examining recent high-profile vulnerabilities, how to improve OSS security, and whether vulnerabilities need to be fixed right from the start. Research for this report has been collected from multiple sources linked to and referenced throughout the report. In addition, we have provided proprietary data gathered from our platform and insights from cybersecurity experts within our teams.

Abstract

Known software vulnerabilities continue to increase year after year, with 25,223 software products affected by at least one vulnerability in 2021. This is an increase from the 24,342 in 2020 and has been driven by the growing scale of software development. The US Bureau of Labor Statistics forecasts that by 2031, demand for developers will grow by 25%.

The upward trend is also affected by enterprises’ increased usage of OSS, and a growing number of “bad actors” that infiltrate the Open Source community. OSS development is fundamentally based on open collaboration, involving the sharing and reuse of source code. The opportunity to inject source code changes that are ultimately consumed by a wide audience entices “bad actors” to exploit the open and collaborative nature of OSS software development. There has been a 700% jump in attacks against open-source projects during the past three years as of September 2022.

As enterprises increase their dependency on OSS to accelerate the rate at which they can deliver value to their stakeholders and customers, they need to balance the benefits with the risks and costs inherent in the consumption of OSS.

Part 1: The Current State of Open Source Vulnerabilities

Open source is a valuable resource for enterprises. Copyright licences encourage no-charge reuse and redistribution, which saves enterprises large sums of money compared to developing equivalent capabilities in proprietary software. Crowdsourced development also makes it faster for large organisations to build new features and integrations, reducing time-to-market.

In general, the exhaustive peer-review processes relied upon in successful OSS projects have an exceptionally good reputation for strong security. However, the quality and engagement of communities vary wildly. Larger projects, such as major Linux distributions, often have more well-defined procedures and a larger pool of developers to enforce rigorous security practices consistently.

Challenges for Enterprises

Dependency Depth: Smaller OSS projects often depend on larger projects with no limit on the layers of depth, making it difficult to find out how many dependencies actually exist.
Inventory Management: Many enterprises lack a well-managed Bill of Materials (software asset inventory), making it impossible to know when a project becomes vulnerable or how to patch it.
Resource Allocation: Diverting resources from core functional delivery to OSS security is often difficult to justify to stakeholders without a clear argument.

OSS is used across industries; in a 2021 audit of 2,409 codebases, 97% contained open source. Of those, 88% had outdated versions of open-source components where updates or patches had not been applied. BlueOptima data found that 48% of hundreds of thousands of repositories had some level of dependency on outsourced developers.

Examples of Recent OSS Vulnerabilities

Apache Log4Shell (CVE-2021-44228): A critical flaw in the Java-based logging library Log4j with a severity score of 10/10.
Microsoft Azure Service Fabric: A flaw discovered in October 2022 that allowed elevation of privilege and remote takeover of nodes. Attackers could seed the application with scripts and gain administrator access over the host.
Event-stream: In 2018, a bad actor took over this project and inserted code into the library distributed through NPM. It was included in at least 3,931 packages as a dependency.

Part 2: The Major Vulnerabilities and How They Are Changing

The OWASP Top 10 outlines the most significant security concerns for web applications.

Top Vulnerability Categories:

A01:2021-Broken Access Control: Over 318k occurrences of Common Weakness Enumerations (CWEs) fell into this category.
A02:2021-Cryptographic Failures: Focuses on defects that lead to sensitive data exposure.
A03:2021-Injection: Includes SQL, NoSQL, OS command, and LDAP injections.
A04:2021-Insecure Design: A new category focusing on flaws in design.
A05:2021-Security Misconfiguration: Increased risk due to more highly configurable software.
A06:2021-Vulnerable and Outdated Components: A struggle for many enterprises to test and assess.
A07:2021-Identification and Authentication Failures: Critical weaknesses in identity confirmation.
A08:2021-Software and Data Integrity Failures: Compromises arising from untrusted plugins or modules.
A09:2021-Security Logging and Monitoring Failures: Includes failures that are difficult to test for.
A10:2021-Server-Side Request Forgery (SSRF): Shows a relatively low incidence rate but remains present.

Part 3: How to Combat Vulnerabilities Within OSS

IT leaders need to develop a greater awareness of dependencies and proactively monitor components.

Strategies to Mitigate Risk

Identify and Prioritise Attackable Vulnerabilities: Not every vulnerability needs to be fixed right away. Teams must assess which are urgent versus low-risk to avoid unnecessary delays to deliverables.
Fix Easily Remediated Flaws First: Choosing vulnerabilities that require less effort provides the maximum reduction in attack surface with minimum impact on functional delivery.
Reduce False Positives: Implementing more frequent and early testing helps developers resolve real issues faster.
Increase Scan Frequency: Automated insertion into the CI pipeline allows daily analysis of imported OSS for known vulnerabilities.
Rapid Scans: These improve coverage for fast-iterating applications and allow issues to be fixed before they become major concerns.

BlueOptima Code Insights

BlueOptima’s Code Insights provides objective insights into a development team’s source code. It helps teams accurately identify and eliminate security risks while minimizing the impact on technical debt incurred from shift-left initiatives.

Contact Information

Phone: +44 207 100 8740
Website: www.blueoptima.com
Email: [email protected]

‍