More and more vulnerabilities for open source
The Dark Reality of Open Source report The focus is not on products such as Linux, WordPress or Drupal which due to their popularity and diffusion catalyze such attention as to be constantly monitored to bring to light and resolve any flaws in the code in a short time, but on lesser known tools although used on a large scale, by Jenkins to MongoDB, from Elasticsearch to Chef, up to GitLab, Spark and Puppet. What the researchers found is a strong growth in the number of bugs found during 2019: 968 compared to 421 in 2018, a share that more than doubled in just twelve months.
According to RiskSense one of the main problems of to be taken into account concerns the fact that a large part of the vulnerabilities was reported to the National Vulnerability Database only several weeks after the discovery, consequently exposing the software and those who use it for a long time to potential risks related to the exploits developed by attackers. The average delay is 54 days, but in some cases (as with PostgreSQL) it has reached 246 days.
The projects, most targeted from 2015 to 2019 are found to be Jenkins, and MySQL, respectively, with 646 and 624 vulnerabilities found in five years, of which 30 (15 per head) affected by the attacks . It is good, however, to clarify how a large number of bugs do not necessarily correspond to a software-plus-exposed: what percentage has seen the largest share of flaws targeted by attackers was the virtualization software Vagrant with only 9 vulnerabilities identified, but exploited for two-thirds.
The full version of the report, The Dark Reality of Open Source is available on the official website of RiskSense.
Source: RiskSense
