Developers are increasingly relying on open source components to create software for businesses. Research on GitHub has shown that modern applications can be 80% dependencies, so the security of the latter is especially important. Unfortunately, dependency-related vulnerabilities are mostly discovered by accident and can survive for more than four years without attention.
The toolkit on GitHub allows developers to quickly notify developers about new holes in open-source projects and the presence of patches, but the problem of detecting such security breaches is of great concern to service operators. To determine the scale of the disaster, the researchers examined (PDF) the contents of 45 thousand open repositories that have been active for at least two years – from October 2018 to September this year.
Found connected components were divided into five groups depending on the language in which they are written (PHP, Java, JavaScript, .NET, Python and Ruby). As it turned out, most often developers use third-party libraries JavaScript (94% of applications), Ruby and .NET (90% each).
The pace of patching open-source packages has proven to be acceptable: community members close them within a month, and users, having received a notification, usually have time to fix their product in a week. However, not all GitHub notifications deserve close attention – in 83% of cases, the subject of the alert was an error that did not constitute a security threat. The rest of the warnings were justified: a vulnerability (or backdoor) was announced in open-source. Unfortunately, such problems are mostly found in abandoned or rarely used projects.
Correcting the situation, according to the researchers, is possible only through the combined efforts of developers, storage operators and users. All of them should regularly check dependencies in the code for vulnerabilities, as well as expand the use of automated notification tools and patching of coherent codes – according to GitHub, this will help to speed up patching holes in applications by 1.4 times. Of the vulnerabilities recorded in 2020, the researchers considered Curveball (CVE-2020-0601), SMBGhost (CVE-2020-0796) and Zerologon (CVE-2020-1472) the most dangerous .
These vulnerabilities have affected a large number of developments and have compromised many endpoints and corporate networks. From a patching point of view, CVE-2020-8203 in the lodash npm package is also quite annoying, which allows you to make unwanted changes to the JavaScript object prototype. Research has shown that the lodash script is very popular with business software developers, and the emergence of CVE-2020-8203 has generated more than five million alerts triggered by the GitHub bot.