Open Source Risk Report shows increase in vulnerabilities and attacks using malicious packages causing greater challenges for security teams
TEL AVIV, Israel and BOSTON – December 15, 2022 – Mend.io, a leader in application security, launched its Open Source Risk Report today that reveals the significant risk posed by the ongoing rise in open source vulnerabilities and software supply chain attacks. According to the report, the number of open source vulnerabilities that Mend.io identified and added to its vulnerability database in the first nine months of 2022 was 33 percent greater than the first nine months of 2021, reflecting both the growth in the number of published open source packages and the acceleration of vulnerabilities. As businesses continue to heavily rely on their applications for success, this growing threat is a mounting concern.
Open Source Vulnerabilities Add to Security Debt
The report’s representative sampling through January to September 2022 of approximately 1,000 North American companies found that only 13 percent of vulnerabilities seen were remediated, compared with 40 percent remediated by those using modern application security best practices. With open source code used in 70 to 90 percent of applications today, more companies are finding themselves vulnerable to attacks as threat actors take advantage of the remediation gap.
“As security debt continues to rise, it’s crucial to find a way to prioritize the vulnerabilities that pose the highest risk to avoid falling victim to an attack,” said Jeffrey Martin, VP Product Management at Mend.io. “Using remediation tools that can assess and prioritize the vulnerabilities that can most heavily impact systems is an important element to managing security debt. Organizations should not just pay attention to severity details though, to ensure effective prioritization and remediation, they need to also look at the exploitation context of flaws on their own and in conjunction with others.”
While companies remediate thousands of vulnerabilities each month, it takes modern remediation best practices to handle the ongoing wave of new vulnerabilities detected to prevent a growing backlog of vulnerabilities. The increase in open-source vulnerabilities outstrips the estimated 25 percent growth in the amount of open source software available. With applications being the lifeblood of the global economy, regular application security scanning and the use of prioritization and remediation tools are essential.
Malicious Packages a Growing Challenge
Attacks using malicious packages are also on the rise. Data from Mend Supply Chain Defender shows a steady quarterly increase in malicious packages published, which jumped 79 percent from Q2 to Q3 2022. At least 10 malicious packages were published each day to package managers npm and rubygems. On top of this, more packages today contain telemetry, which enables data collection, and some are now built into a supply chain, such as when valid content has a dependency containing malicious code.
“While the amount of malicious packages has increased, sophistication is also slowly catching up. We are starting to see intermediate evasion techniques be layered over basic evasions,” said Maciej Mensfeld, Director Product Manager at Mend.io. “In the ongoing security cat and mouse game, we know malicious actors are always motivated to overcome obstacles they might encounter. To stay ahead of attacks, companies need to ensure they’re leveraging application security tools, particularly those that scan for malicious packages like Mend Supply Chain Defender.”
About the Report
The report examines data from multiple sources including the Mend.io vulnerability database, Mend Supply Chain Defender, and a representative sampling of approximately 1,000 North American companies from January to September 2022. The Mend.io vulnerability database provides information on open source security vulnerabilities aggregated from the NVD, dozens of security advisories, peer-reviewed vulnerability databases, and popular open source issue trackers. Mend Supply Chain Defender, a solution that helps enterprises defend the software supply chain, has performed more than 150 million secured package checks and has scanned almost 9 million packages since 2020. The representative sampling was used to compile data on critical and high severity vulnerabilities and remediation to present a snapshot into the state of open source security from the user perspective.
To download a full copy of the report, visit here.
About Mend.io
Mend.io, formerly known as WhiteSource, has over a decade of experience helping global organizations build world-class AppSec programs that reduce risk and accelerate development -– using tools built into the technologies that software and security teams already love. Our automated technology protects organizations from supply chain and malicious package attacks, vulnerabilities in open source and custom code, and open-source license risks. With a proven track record of successfully meeting complex and large-scale application security needs, Mend.io is the go-to technology for the world’s most demanding development and security teams. The company has more than 1,000 customers, including 25 percent of the Fortune 100, and manages Renovate, the open source automated dependency update project. For more information, visit www.mend.io, the Mend.io blog, and Mend.io on LinkedIn and Twitter.