Open Source Flaws Take Years to Find But Just a Month to Fix

Open Source Flaws Take Years to Find But Just a Month to Fix
Companies need to embrace automation and dependency tracking to keep software secure, GitHub says in its annual security report.

Developer mistakes and indirect dependencies are the two main sources of vulnerabilities in open source software projects, which together are expected to cause the majority of security alerts in the next year, according to GitHub's annual Octoverse report, published today.


Using data collected from its own platform, GitHub found the vast majority of projects used open source software, from a low of 65% for Java applications to a high of 94% for JavaScript applications. On average, a vulnerability goes undiscovered for 218 weeks, or more than four years, while it takes just over a month to fix the average vulnerability.


Developers must anticipate the need to fix issues quickly and improve open source security, rather than finding ways to reduce reliance on open source, says Maya Kaczorowski, senior director of product management for GitHub.


"Rather than try to offset the use of open source, embrace it," Kaczorowski says. "Increased transparency and information about what you're consuming in your software supply chain allows you to feel more confident that you're appropriately addressing risks, such as security vulnerabilities, that you may be consuming."


For the report, GitHub scanned more than 45,000 active repositories on its service that use one of six major open source software ecosystems — such as Node Package Manager (NPM) for JavaScript or RubyGems for Ruby — and have their dependency-graph feature turned on. The reliance on open source projects leads to vulnerabilities trickling down from one open source library to the programs that depend on it, with an average of 59% of active repositories likely to receive a vulnerability alert from GitHub's Dependabot service in th ..

Support the originator by clicking the read the rest link below.