Counting Vulnerabilities In Open Source Projects and Programming Languages
Written by Alex Armstrong   
Thursday, 18 April 2019

The number of disclosed open source vulnerabilities skyrocketed in 2017, reaching a total of almost 3,500. Mozilla was the open source projects with the most vulnerabilities and C/C++ was the most vulnerable language.

whitesource bannerTo provide this information, WhiteSource - a company that sells software which monitors open source components to provide alerts about security and licensing issues -.conducted a survey of 650 developers from the US and Western Europe about their practices and challenges of open source usage. They also collected data from the NVD, the United State's national vulnerability database, together with security advisories, peer-reviewed vulnerability databases, issue trackers and more, to gather insights into open source vulnerability management.

The statistics they presented in the The State of Open Source Vulnerability Management Report showed that the number of disclosed open source software vulnerabilities in 2017 rose by over 50%  compared to 2016. In 2018 the number of reported vulnerabilities fell slightly on 2017 but confirmed the upward trend:whitesource os bugs

Looking at the distribution of vulnerabilities among popular open source projects, Mozilla Firefox tops the list, closely followed by Linux:whitesourceprojects

With regard to languages C/C++ tops comes top by a long margin:

whitesourcelangs

Commenting on this finding in a recent post on the WhiteSource blog, Ayala Goldstein writes:

This is not to say that C is less secure than the other languages. The high number of open source vulnerabilities in C can be explained by several factors. For starters, C has been in use for longer than any of the other languages we researched and has the highest volume of written code. It is also one of the languages behind major infrastructure like Open SSL and the Linux kernel. This winning combination of volume and centrality explains the high number of known open source vulnerabilities in C.

The blog post also did an analysis by language over time, noting the substantial rise in known open source security vulnerabilities, across all languages over the past two years:

whitesource highvuln

Commenting on this Goldstein writes:

This rise can be explained by the rise in awareness of known security vulnerabilities in open source components, along with the continuously growing popularity of open source. As more resources have been invested in open source security research, the number of issues discovered has increased. The use of automated tools and the growing investment in bug bounty programs have further contributed to the sharp rise in the amount of disclosed open source security vulnerabilities.

Goldstein then focused on high severity open source security vulnerabilities (scores above 7 according to CVSS v2) by language over time:

whitesource highvuln2

Comparing this with the previous chart JavaScript and PHP stand it is clear that the percentage of critical vulnerabilities is declining in most of the languages covered in the report, except for JavaScript and PHP.

Commenting on this Goldstein writes: 

The decrease in the percentage of critical vulnerabilities could be a result of the concerted effort from security researchers to use automated tools to discover vulnerabilities in open source components. These tools are usually less capable of finding more complex and critical issues. While many of these tools are doing a good job of discovering vulnerabilities, many of the issues are not critical, and so we see a rise in the number of mostly medium vulnerabilities over the past few years in most of the programming languages that we studied.

 

whitesourcesq


More Information

The State of Open Source Vulnerability Management

Is One Programming Language More Secure Than The Rest?

Related Articles

Ever Increasing Need For Secure Programming 

Don't Neglect Open Source Security

Vulnerability Revealed In GNU C Library 

Memory Safety Bugs Form 70 Percent Of Vulnerabilities

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on, Twitter, Facebook or Linkedin.

Banner


Node-RED IoT Tool 1.0 Released
11/10/2019

Node-RED has reached version 1.0 with improvements including a new asynchronous message passing model,  and a new Node Send API.



Copied Code Is Vulnerable Code
09/10/2019

We all look up code online and then modify it and incorporate it into our programs, but is this a safe practice? New research suggests that it most definitely isn't.


More News

graphics

 



 

Comments




or email your comment to: comments@i-programmer.info

Last Updated ( Thursday, 18 April 2019 )