WhiteSource, the leader in open source security and license compliance management, announced today the release of their 2020 Annual Report on The State of Open Source Security Vulnerabilities. WhiteSource’s research reveals that the increased focus on open source security from both the software development industry and the open source community resulted in a nearly 50% rise in the number of reported open source vulnerabilities in 2019.
WhiteSource’s research shares information and insights on the current state of open source security vulnerabilities based on WhiteSource’s comprehensive database, which aggregates information from thousands of sources, including the NVD, security advisories, peer-reviewed vulnerability databases, and popular open source issue trackers.
The WhiteSource report dives deep into the extensive data to learn how the open source community is addressing the continuous rise in the number of reported open source vulnerabilities, and how the decentralized nature of the open source community impacts the process of vulnerabilities’ detection and reporting. The report also provides insights on what the industry can expect in 2020, and what software development teams need to know in order to ensure secure coding from the earliest stages of development.
Key findings in the report include:
– Over 85% of open source security vulnerabilities are disclosed with a fix already available.
– 45% of reported open source vulnerabilities are not initially reported to the NVD, many of those are eventually published in the NVD, sometimes months after being published in other resources.
– The top CWE’s in 2019 are related to information disclosure (Cross-site scripting (XSS), Improper Input Validation, and Buffer Errors), and many are a result of simple coding errors.
– Severity scores for open source vulnerabilities are also on the rise: nearly 60% of reported open source vulnerabilities have a CVSS score of high or critical, making the work of prioritizing remediation, based on severity, a challenge for developers, security, and DevOps teams.