Open Source Vulnerabilities Are Still On the Rise, and That’s the Good News

Written by: Kaitlin Waite
4 min read
Stay connected

Editor's note: This is a guest blog by Shiri Ivtsan, senior product manager at WhiteSource.

In a world where release cycles become shorter and software development organizations invest in the DevOps tools and processes that can help them deliver better software faster, open source components have become an essential building block in making developers' lives easier.

Along with its many advantages, the rise in open source usage has also led to a dramatic increase in the number of security vulnerabilities that are published every year. According to the WhiteSource open source vulnerabilities database, the number of disclosed open source software vulnerabilities in 2018 rose by over 50% as compared to the 2017 figures.

Drilling down: Which open source projects have the most known vulnerabilities?

Most of these known open source software vulnerabilities are located in the most popular and widely-used open source projects. According to our database, while 7.5% of all open source projects are vulnerable, when we look at the 100 most popular open source components, we see that 32% of these projects contain at least one known security vulnerability.

If we drill down to the top 10 open source projects with the highest number of published open source vulnerabilities, we’ll see that the list contains some of the open source projects that we all know, love, and depend on for our software projects.

Given these figures, does this mean that some of the most popular open source libraries that we are all using are insecure? The answer is quite the opposite.

Popular open source projects are maintained by a large and active community. That means more working hands for security research. An open source project with a thriving community around it has more eyes looking at it, continuously analyzing, discovering, and publishing more security and quality issues, thereby helping to make it more secure by finding and fixing the flaws.

We should also consider the factor of who owns a certain project and what kind of resources can they bring to bear on it. As you can see, many of the open source projects in the list are backed by big commercial companies.

The bottom line is that the high number of reported vulnerabilities implies that a project is well maintained by its community and not an indication of low security standards.

Spotlight on C: Programming languages and open source vulnerabilities

WhiteSource also decided to take a deeper look at open source vulnerabilities in programming languages. Crunching the numbers of known open source vulnerabilities in programming languages showed us once again that the numbers don’t tell us the whole story. While C took first place by a considerable margin with 47% of all reported vulnerabilities, the high percentage doesn’t mean that C is an inherently insecure language, or that projects that are written in C are less secure to use.

The high number of open source vulnerabilities in C is more likely due to the fact that C has been in use for longer than any of the other languages we researched and has the highest volume of written code. Not only that, it powers major infrastructure like OpenSSL and the Linux kernel. This winning combination of volume and centrality is behind the high number of known open source vulnerabilities in C.

More known issues means more fixes

While vulnerable open source components have grabbed quite a few headlines over the past few years, questioning the security of open source components will not get you far.

The rise in security awareness for open source projects, along with the fact that open source usage has gone mainstream over the past few years, means that there are large and active communities working hard to detect security issues in the open source projects, and release fixes swiftly.

Using enterprise-level solutions, like CloudBees, together with security tools like WhiteSource, will provide the security gates needed to ensure that your CI/CD pipeline is open source vulnerability-free. Take the questions out and add the security features in.

Additional resources:

Stay up to date

We'll never share your email address and you can opt out at any time, we promise.