Security vulnerabilities in open source software sometimes go undetected for more than four years. This is one of the key findings of the latest State of the Octoverse report of the GitHub software development hosting and management platform.
However this statement is not entirely true, as based on technological advance and the fact that in recent years many large companies and developers have joined open source software, this has allowed for an increasingly accelerated advance in terms of development, creation of tools for testing and especially vulnerability detection.
Although it is still a reality is that insufficient funding (leading to a reduction in human resources) is most of the time an obstacle to the search and the discovery of these vulnerabilities.
Heartbleed, for example, is a vulnerability of software present within the cryptography library OpenSSL since March 2012. It allows an attacker to read the memory of a server or a client to recover used during a communication with the Transport Layer Security (TLS) protocol. The flaw that affects many Internet services was not discovered until March 2014 and was made public in April 2014. That left a two-year window for hackers to attack thousands of servers.
The vulnerability allegedly ended up in the OpenSSL repository by mistake following a proposal from a volunteer developer to fix bugs and improve features.
The defects of this type (entered by mistake) represent 83% of those discovered in projects open source hosted on GitHub. However, the latest State of the Octoverse report states that 17% are vulnerabilities intentionally introduced by malicious third parties.
These are figures that should be supplemented by a recent Risksense report that emphasizes that flaws in open source software are constantly growing. IT projects are increasingly based on open source, which explains the growing interest of hackers in the field.
A vulnerability can wreak havoc on your work and cause large-scale security problems. However, most vulnerabilities are due to bugs, not malicious attacks.
By relying on open source when you can, your team benefits from all the fixes found and remediated by the community. Time to remediate is an important component for all DevOps teams
The financing model from the open source sphere is among the factors most likely to explain why software vulnerabilities They go unnoticed during such important moments. The Central Infrastructure Initiative (CII) is one of the few projects to finance and support free and open source software projects that are essential to the functioning of the Internet and other large information systems.
Most of the projects on GitHub are based on open source software. This analysis included open source public repositories with at least one contribution in each month between 10.1.2019 and 30.09.2020.
The latter has been the subject of an announcement following the critical Heartbleed vulnerability in OpenSSL that is used by millions of websites. Problem: CII relies on contributions from well-established players in the world of proprietary software. Facebook, VMWare, Microsoft, Comcast, and Oracle (to name just these companies) fund the Linux Foundation, and thus projects like the Central Infrastructure Initiative (CII).
This gives them seats on the various decision-making boards, and therefore some control over what happens in the open source arena. Bryan Lunduke, a former openSUSE Board member, discusses this state of affairs in more detail.
The immediate consequence is that open source projects that benefit from funding are those on which their infrastructures are mainly based.
Finally, if you are interested in knowing more about it, you can consult the following website where you can find the collected reports.