UK firms downloading vulnerable open source software

The average UK enterprise downloaded more than 21,000 Open Source software components with a known vulnerability in the past year alone, data from Sonatype shows.

Out of the average 248,000 open source components downloaded by UK business in 2018, 8.8% were found to have a known security flaw, according to Sonatype’s fifth annual Software supply chain report, based on data from 12,000 enterprise development companies globally.

Out of the vulnerabilities in open source software downloaded by UK firms, 30% were classified as critical, posing a serious risk to the security of software, the report said.  

These findings are evidence of a worrying trend of vulnerable components being built into applications, the report said, with one in 10 open source components downloaded in 2018 containing a known security vulnerability.

Just over half (51%) of JavaScript package downloads also had a known flaw, the data shows, demonstrating the scale of the challenge facing organisations.

The report also examined the volume of companies using the flawed Struts component responsible for the Equifax breach and attacks on at least eight other major institutions. The data shows that downloads of the flawed Struts component increased by 11% in the 12 months after the Equifax breach, with an average of 2.1 million downloads a month.  

However, the report identifies breakthrough coding practices which are proving to provide a significant mitigation of threats. The findings also show a slight decrease in vulnerable downloads from one in eight in 2017 to one in 10 in the past year, as businesses improve software supply chain management.

The report shows that developers using the most current versions of open source component dependencies can dramatically reduce their cyber security risk, which is increasingly important in the light of the finding that adversaries are increasingly targeting open source components.

The data shows a 71% increase in open source related breaches over the past five years, that 24% of organisations confirmed or suspected an open source software related breach, and that 15 events highlighted a new attack pattern for malicious code injection within open source software supply chains.

The data shows that supply and demand for open source software components at an all-time high, with a 68% increase in downloads of Java components in 2018 to 146 billion, 21,448 new open source releases available to developers each day, and 313,000 average annual open source software downloads across the 12,000 enterprises studied.

But the report notes that not all open source projects are created equal, with only 295 open source projects found to be following the best secure coding practices and only 5% of projects remediating security vulnerabilities within 15 days.  

Top enterprise development teams benefit from software supply chain automation, the report said, resulting in a 55% reduction in the use of vulnerable open source components. These teams are 12 times more likely to have automated tools to manage open source dependencies and are 9.3 times more likely to proactively remove problematic or unused dependencies.

“We have long advised business that they should rely on the fewest open source components suppliers with the best track records to develop the highest quality and lowest risk software,” said Wayne Jackson, CEO of Sonatype.

“For organisations that tame their software supply chains through better supplier choices, component selection and use of automation, the rewards revealed in this year’s report are impressive. Use of known vulnerable component releases was reduced by 55%.”

Findings in the report are based on analysis of 36,000 open source project teams, 3.7 million open source releases, 12,000 commercial engineering teams and two surveys, with a combined participation of more than 6,200 development professionals.  

Velocity does not have to come at the cost of reduced security, the report concludes, noting that exemplary open source project initiatives benefit tremendously from higher code commit and release frequencies.

“They also do an outstanding job of managing their dependencies,” the report said, adding that exemplars in enterprise are benefiting from processes that support using the latest component versions and typically embrace automated practices to reduce the presence of known vulnerabilities.