The increased adoption of open source software and more focused efforts to find dangerous bugs have resulted in an increase in the number of reported vulnerabilities, from 4,100 last year to 6,100 today.
The bugs were reported by the security company WhiteSource, whose report shows that the security vulnerabilities of open source software have increased significantly since 2009, when less than 1,000 bugs were reported at the time.
A major turning point in free software security occurred in 2014, when Google revealed the widespread OpenSSL Heartbleed bug. The event prompted the tech industry to take action on poorly funded open source projects that are essential to the Internet but lack the resources to find and fix bugs.
The incident spawned the Linux Foundation’s Core Infrastructure Initiative (CII), which is supported by Amazon, Google, IBM, Intel, Microsoft, Cisco and others. According to WhiteSource figures, in 2015 and 2016 the number of security bugs did not exceed 1,500 per year, but in 2017 and 2018 the number increased to more than 4,000 per year.
A majority of the vulnerabilities are already known
Much of the newly discovered bugs come from Google’s open source scrambling tools, such as OSS-Fuzz, which in 2018 found 9,000 flaws in two years. By January 2020, he had helped find 16,000 bugs in 250 open source projects.
WhiteSource has found that 85% of open source software vulnerabilities are disclosed and already have a fix available. However, she notes that some users are not aware of these fixes because only 84% of known bugs from open sources are registered in the national vulnerability database.
“Vulnerability information is not published in one centralized location, but rather dispersed across hundreds of resources, and sometimes poorly indexed – which often makes finding specific data difficult,” she notes.
GitHub in support
Last year, Microsoft’s code-sharing site, which can publish its own CVEs, also launched a program called Security Lab to help developers find and fix bugs.
While welcoming GitHub’s efforts, WhiteSource points out that developers may be inundated by the higher volume of bugs found. “Our concern is that, while these tools help to report vulnerability issues appropriately, they will likely only compound the problem with software developers who are already struggling to keep up with the increased pace,” notes WhiteSource.
More bugs in PHP than in Python
WhiteSource also looked at the share of vulnerabilities found in major programming languages. Most of the vulnerable code was written in C with a share of 30%, which is a drop from 47% a decade ago. The company notes that the high percentage of C is probably due to the fact that there is a lot of code written in it.
By contrast, code written in PHP is responsible for 27% of security bugs, compared to 15% ten years ago, although PHP is less and less popular with developers. The Python code was responsible for only 5% of bugs, against 6% 10 years ago.
The most common types of security breaches in 2019 were cross-site scripting, incorrect validation of entries, buffer errors, out-of-range reads, and information exposure.