Open-source security: This is why bugs in open-source software have hit a record high

Efforts to improve open-source security helped find 6,100 vulnerabilities last year – up over 10 times on a decade ago.

Why 2019 was the year of Linux and open-source software

Increased adoption of open-source software and more focused efforts on finding dangerous bugs mean the number of reported open-source vulnerabilities has risen to 6,100, up from 4,100 last year.   

The bugs were tallied by security firm WhiteSource, whose report shows that reported open-source security vulnerabilities have jumped drastically since 2009 when fewer than 1,000 bugs were reported. 

A major turning point in open-source security happened in 2014, when Google disclosed the widespread OpenSSL Heartbleed bug.

SEE: 20 quick tips to make Linux networking easier (free PDF) 

That event jolted the tech industry into action over poorly funded open-source projects that are critical to the internet but lack resources to find and patch bugs.

The incident spawned the Linux Foundation's Core Infrastructure Initiative (CII), which is backed by Amazon, Google, IBM, Intel, Microsoft, Cisco and others. 

According to WhiteSource figures, in 2015 and 2016 the number of security bugs didn't exceed 1,500 a year, but in 2017 and 2018 the number blew up to over 4,000 per year.      

reported-open-source-bugs.png

The number of disclosed open-source software vulnerabilities in 2019 shot up to over 6,000 bugs.

Image: WhiteSource

A large source of newly found bugs comes from Google's open-source fuzzing tools, such as OSS-Fuzz, which by 2018 had helped find 9,000 flaws in two years. As of January 2020, it's helped find 16,000 bugs in 250 open-source projects.   

WhiteSource found that 85% of open-source vulnerabilities are disclosed and have a fix already available. However, it notes that some users are not aware of these fixes because only 84% of known open-source bugs make it to the National Vulnerability Database (NVD). 

"Information about vulnerabilities is not published in one centralized location, rather scattered across hundreds of resources, and sometimes poorly indexed – often making searching for specific data a challenge," it notes. 

WhiteSource last year brought its vulnerability database to GitHub to support its security-alerts service. GitHub scans project dependencies for vulnerabilities in projects written in PHP, Java, Python, .NET, JavaScript and Ruby. It's helped developers find and fix millions of known flaws in dependencies. 

Last year, the Microsoft code-sharing site, which can issues its own CVEs, also launched a program called Security Lab to help developers find and fix bugs

Despite lauding GitHub's effort, WhiteSource points out that developers could be inundated by the higher volume of bugs being found. 

"Our concern is that, while these tools will help to report vulnerability issues in a proper manner, they will probably only aggravate the issue with software developers who are already struggling to keep up with the increased rate," WhiteSource notes. 

WhiteSource also looked at the share of vulnerabilities found across top programming languages. The highest share of vulnerable code was written in C with a 30% share, which was down from 47% a decade ago. The company notes that C's high percentage is likely to be because there's so much code written in it. 

SEE: Google programming language scorecard: How C, C++, Dart, Rust, Go rate for Fuchsia

Code written in PHP on the other hand was responsible for 27% of security bugs, up from 15% 10 years ago, despite PHP becoming less popular among developers. 

By contrast Python code was only responsible for 5% of bugs, down from 6% 10 years ago. 

The most common types of security flaws in 2019 were cross-site scripting, improper input validation, buffer errors, out-of-bounds reads, and information exposure. 

Cross-site scripting bugs were the most common type of vulnerability for Java, JavaScript, PHP, Python, and Ruby. For C, a memory-unsafe language, it was "improper restriction of operations within the bounds of a memory buffer". 

share-of-bugs-per-language.png

Open-source vulnerabilities per language, 2019 vs 2009-2018: C still had most, due to the high volume of code written in it.

Image: WhiteSource