Open Source Vulnerabilities Increase in 2018

April 30, 2019

Many organizations are still struggling to identify and manage open source risk across their application portfolios, according to the Open Source Security & Risk Analysis (OSSRA) report.

The report says, "while the number of vulnerabilities in open source is small compared to proprietary software, over 7,000 open source vulnerabilities were discovered in 2018 alone. Over 50,000 have emerged over the past two decades."

The report highlights the persisting challenges organizations face when it comes to managing open source risk, including:

A rise in the average number of open source components detected in each codebase, with more than 298 open source components on average found. Those using open source often overlook associated security and license risks.
Another record year for number of open source vulnerabilities disclosed in the NVD. 60 percent contained at least one open source vulnerability and 68 percent contained components with license conflicts, the report says.
An increase in the average age of open source vulnerabilities detected, with more than 40 percent of code bases containing a vulnerability that was disclosed more than a decade ago.
Over 40 percent of codebases contain a high-risk vulnerability.

Despite these challenges, the 2019 OSSRA data suggests that, in the wake of the Equifax breach, an increase in awareness of open source risk and the maturation of commercial software composition analysis solutions has led to forward progress, including:

The percentage of codebases that contain vulnerable components have decreased.
The percentage of codebases that contain license conflict have decreased.

You must login or register in order to post a comment.

ON DEMAND: DevSecOps creates an environment of shared responsibility for security, where AppSec and development teams become more collaborative. With the right training and tools, developers can become more hands-on with security and, with that upskilling, stand out among their peers... however, they need the security specialists on-side, factoring them into securing code from the start and championing this mindset across the company.

ON DEMAND: The insider threat—consisting of scores of different types of crimes and incidents—is a scourge even during the best of times. But the chaos, instability and desperation that characterize crises also catalyze both intentional and unwitting insider attacks. Learn how your workers, contractors, volunteers and partners are exploiting the dislocation caused by today's climate of Coronavirus, unemployment, disinformation and social unrest.

Security Magazine

2020 September

This month in Security magazine, we bring you our 2020 Most Influential People in Security annual report, where we highlight 22 industry leaders, their path to security, careers, goals and guidance for future security professionals. Industry experts discuss the evolution of ransomware, houses of worship security, cybersecurity standards, security careers in investigations and the unifying power of security. Diane Ritchey, past Editor-in-Chief, says goodbye and thank you to our readers.

View More Create Account

Open Source Vulnerabilities Increase in 2018

Related Articles

Related Products

Related Events

Report Abusive Comment