Open source vulnerabilities add to security debt

The number of open source vulnerabilities that Mend identified and added to its vulnerability database in the first nine months of 2022 was 33 percent greater than the first nine months of 2021, reflecting both the growth in the number of published open-source packages and the acceleration of vulnerabilities. As businesses continue to heavily rely on their applications for success, this growing threat is a mounting concern.

The report’s representative sampling through January to September 2022 of approximately 1,000 North American companies found that only 13 percent of vulnerabilities seen were remediated, compared with 40 percent remediated by those using modern application security best practices.

With open-source code used in 70 to 90 percent of applications today, more companies are finding themselves vulnerable to attacks as threat actors take advantage of the remediation gap.

“As security debt continues to rise, it’s crucial to find a way to prioritize the vulnerabilities that pose the highest risk to avoid falling victim to an attack,” said Jeffrey Martin, VP Product Management at Mend. “Using remediation tools that can assess and prioritize the vulnerabilities that can most heavily impact systems is an important element to managing security debt. Organizations should not just pay attention to severity details though, to ensure effective prioritization and remediation, they need to also look at the exploitation context of flaws on their own and in conjunction with others.”

While companies remediate thousands of vulnerabilities each month, it takes modern remediation best practices to handle the ongoing wave of new vulnerabilities detected to prevent a growing backlog of vulnerabilities.

The increase in open source vulnerabilities outstrips the estimated 25 percent growth in the amount of open-source software available. With applications being the lifeblood of the global economy, regular application security scanning and use of prioritization and remediation tools are essential.

Attacks using malicious packages are also on the rise. Mend data shows a steady quarterly increase in malicious packages published, which jumped 79 percent from Q2 to Q3 2022. At least 10 malicious packages were published each day to package managers npm and rubygems. On top of this, more packages today contain telemetry, which enables data collection, and some are now built into a supply chain, such as when valid content has a dependency containing malicious code.

“While the amount of malicious packages has increased, sophistication is also slowly catching up. We are starting to see intermediate evasion techniques be layered over basic evasions,” said Maciej Mensfeld, Director Product Manager at Mend. “In the ongoing security cat and mouse game, we know malicious actors are always motivated to overcome obstacles they might encounter. To stay ahead of attacks, companies need to ensure they’re leveraging application security tools, particularly those that scan for malicious packages.”

Don't miss