Decoding the Code: Unraveling Vulnerabilities in the Shadows of Open Source

As per research, 70% to 90% of the code comes from the open-source ecosystem in any modern production application. The open-source libraries and packages come from various repositories hosted by different ecosystems such as Npm, Maven, Pypi, PHP, and many more. Similar to CVEs being discovered in Network services and products, the security community has been finding vulnerabilities in these libraries and packages for the last few years. A Security/Engineering leader should transform their existing security practices to identify and fix the vulnerabilities reported in libraries and packages incorporated within the production applications.

How can the report be used?

In order to provide deeper insights and help in formulating a strategy, the report provides various facts and insights. The insights can be used to answer various questions such as the following:

1. Does my organization have a practice to identify and remediate vulnerable libraries?
2. Does my Organization have a practice to detect malicious library before it becomes part of a production application?
3. Which common weaknesses are more prevalent that I need to train my developers on depending on the ecosystem I am using?
4. Which ecosystems are generating the most critical vulnerabilities, and I should be worried about?
5. How much time do developers spend fixing security issues, and whether it is hampering the productivity of my organization?

Key Insights from the last 3 Months of Github Advisories

Below is an overview of the advisory and vulnerability landscape across different package ecosystems and time periods. They can be used to monitor the security posture and trends related to vulnerabilities and advisories for various software packages.

• Out of 727 total vulnerabilities published, NPM contributed the most with 240, when it comes just numbers

• However, when it comes to critical or high vulnerabilities, Maven and PHP (Packagist) contributed more than other ecosystems. Maven: 34.61% Packagist: 16.03% PyPI: 15.27% Go: 12.21% npm: 10.18% and Other: 11.7%

• Most of the malicious packages published are from NPM. (as per the last 3 months of data). (In my personal view, the data may be biased towards NPM, and Python, and PHP malicious packages can be equally prevalent.)

• The following graph highlights the most frequently occurring CWE vulnerabilities within each ecosystem, providing insights into the types of security issues that are prevalent. This information can be useful for prioritizing security efforts and focusing on mitigating the most common vulnerabilities in each ecosystem.

npm:

CWE-79: Cross-site Scripting (20 occurrences)

CWE-1321: OS Command Injection (12 occurrences)

CWE-200: Exposure of Sensitive Information (5 occurrences)

Maven:

CWE-79: Cross-site Scripting (29 occurrences)

CWE-352: Cross-Site Request Forgery (21 occurrences)

CWE-400: Uncontrolled Resource Consumption (17 occurrences)

Packagist:

CWE-79: Cross-site Scripting (45 occurrences)

CWE-89: SQL Injection (7 occurrences)

CWE-200: Exposure of Sensitive Information (6 occurrences)

PyPI:

CWE-20: Improper Input Validation (10 occurrences)

CWE-94: Code Injection (9 occurrences)

CWE-79: Cross-site Scripting (8 occurrences)

Top Recommendations

1. Implement Ecosystem-Tailored Security Measures: Based on the distribution of advisories and vulnerabilities across different package ecosystems, tailor your security measures to address the specific risks prevalent in each ecosystem. Devote more attention and resources to ecosystems with higher vulnerability percentages, ensuring that security controls are aligned with the nature of the software packages used.
2. Prioritize Critical Vulnerabilities Mitigation: Given the distribution of critical vulnerabilities among different ecosystems, prioritize the mitigation of these high-impact issues. Collaborate with development teams to promptly address critical vulnerabilities, allocate resources for immediate fixes, and ensure rigorous testing before deployment to minimize potential exploits.
3. Enhance Developer Productivity through Automated Tools: To tackle the challenge of engineers spending excessive time on alerts and security issues, invest in automated tools that streamline the identification and resolution of vulnerabilities. Consider integrating tools like Dependabot / Vet, to reduce manual effort, allowing engineers to focus on core development tasks while maintaining security standards.
4. Establish Cross-Functional Security Training: Address the lack of security expertise by implementing cross-functional security training programs. Foster collaboration between security, development, and DevOps teams to bridge knowledge gaps and ensure a shared understanding of security best practices, enabling proactive identification and mitigation of security risks.
5. Leverage Real-Time Feedback Loops: Overcome the challenges of limited real-time feedback by implementing continuous monitoring and feedback loops within the development pipeline. Incorporate security testing tools that provide instant feedback on code vulnerabilities, allowing developers and DevOps administrators to address issues at an early stage, reducing security debt over time.

Note, we have considered 3 Months of Advisory / Vulnerabilities data related to ecosystems.

Finally, credits to GitHub Advisory Database, OpenSSF , Abhisek Datta for providing access to the insights report, and to all my readers who keep me motivated to write these posts.

Stay Tuned and Happy Sharing!!!