The open-source ecosystem is under scrutiny for its outdated and insecure components, putting organizations at risk of cyber threats. Reports from 2024 shed light on the various security issues within the open-source community, urging organizations to bolster their software security practices.
One alarming statistic reveals that 70% of open-source components are either poorly maintained or not maintained at all. This trend poses a significant risk, as open-source code contributes significantly more to applications than code written by developers. Moreover, a staggering 95% of security vulnerabilities stem from open-source package dependencies, with 51% of these vulnerabilities lacking known fixes across all severity levels.
In a bid to address these security concerns, paid open-source maintainers are shown to prioritize security practices more than their unpaid counterparts. These paid maintainers are 55% more likely to implement critical security measures and spend more time ensuring the integrity of their open-source projects. By adhering to industry standards such as the OpenSSF Scorecard and the NIST Secure Software Development Framework, paid maintainers play a crucial role in enhancing the security of open-source software.
Another report delves into the risks associated with open-source software dependencies. To exploit a vulnerability in an open-source library, there must be a call path from the application to the vulnerable function within that library. Surprisingly, this condition is met in less than 9.5% of vulnerabilities across multiple programming languages. Additionally, the report highlights the delayed response to emerging risks, with nearly 70% of vulnerability advisories being published after the corresponding security release, with a median delay of 25 days.
Insecure GitHub Actions workflows also come under scrutiny, with a significant number found to have vulnerabilities. Out of over 19,000 custom GitHub Actions available, only a small fraction were created by verified GitHub users. A concerning 18% of these workflows contain vulnerable dependencies, while many remain archived and lack regular updates. The average OSSF security score for these actions is just 4.23 out of 10, indicating a widespread lack of security measures in place.
Furthermore, the exposure of sensitive information on GitHub poses a significant security threat, with 90% of exposed secrets remaining active for at least five days. This prolonged exposure period increases the risk of unauthorized access to sensitive data, highlighting the need for improved security practices on the platform.
Overall, these reports emphasize the critical need for organizations to prioritize software security and implement robust measures to safeguard against the inherent risks within the open-source ecosystem. By addressing the issues highlighted in these reports, organizations can mitigate the potential threats posed by insecure open-source components and dependencies.