18 October 2022 at 15:21 UTC
Updated: 24 November 2022 at 13:38 UTC
Attack surge blamed on ‘avoidable’ bugs
Researchers warn that there has been a 633% year-over-year increase in cyber-attacks launched against open source software repositories.
Open source components, frameworks, libraries, and whole platforms are relied upon by organizations during multiple stages of the software development lifecycle. These components provide the lynchpins for communication, software capabilities, security, and user interactions – and as they are developed and reviewed by communities, open source promotes innovation in the software space.
However, the other side of the coin is that open source contributors are volunteers; therefore, security issues can sometimes slip through the net. Furthermore, IT teams may not be aware of what open source software is in use and so they might easily miss patch alerts and upgrades that impact their business.
New research suggests that cyber-attackers – well aware of organizational reliance on open source software – are increasing their attempts to compromise repositories year on year.
According to Sonatype’s 8th Annual State of the Software Supply Chain report, known attacks against open source repositories have increased by 633% year-over-year, and there has been an annual, overall increase of 742% since 2019.
However, this popularity has security ramifications.
“The amount of third-party code flowing through software supply chains occurs on a massive scale,” the researchers said. “Yet published code accrues technical debt over time, creating the potential for compounded security vulnerabilities, if not kept up-to-date.”
According to the researchers, 1.2 billion Java dependencies known to be vulnerable, for example, are downloaded each month while new, patched, or improved versions are ignored.
Sonatype said this is a prime example of “non-optimal consumption behaviors as the root of open source risk”.
“This is in contrast to public discussion, which often associates security risk with open source maintainers,” the report added.
Risky behavior is not necessarily anyone’s fault. Developers tasked with managing dependencies face more complexity in their roles than ever, with the average Java application containing 148 dependencies – 20 more than 2021’s average – and going through an average ten updates a year.
Each dependency could contain vulnerabilities, so developers must track potentially thousands of changes per year, per app. Therefore, mistakes will be made.
Brian Fox, co-founder and CTO of Sonatype said that “the overwhelming tide of dependency intelligence that developers must interpret in their daily development process is at odds with prioritizing good software quality”.
It is, therefore, critical that education on the potential risk of outdated, vulnerable open source software is understood, and teams should consider adopting automation to lighten the load.
Fox added: “[The] sobering reality demonstrates the immediate need for organizations to prioritize software supply management so that they can better deal with security risk, increase developer efficiency, and enable faster innovation.”
YOU MAY ALSO LIKE Linux Foundation’s David A Wheeler on reversing the CVE surge