Amplified dangers in GitHub's open-source repositories
=======================================================================
In the digital landscape, open-source software has become a cornerstone for many applications. However, a new report by Veracode raises concerns about the security of these resources.
According to Veracode, the age and cadence of commits to open-source repositories on GitHub can partially explain the high number of vulnerabilities found in these resources. Inconsistent or delayed code commits, coupled with improper scanning, create risks as repositories age, the report states.
This issue is further compounded by the fact that when developers add an open-source library to their application, 79% of the time they never go back to update it, allowing flaws to continue to accumulate.
The report also highlights that the majority of repositories studied are between four and 10 years old. Half of these repositories had no commits in the last year, further increasing the risk of undiscovered flaws.
The report isn't the only source of concern. In December 2022, the identity and access management platform Okta reported that a threat actor accessed and copied its source code repositories on GitHub. Similarly, in 2022, GitHub itself was affected by an attacker who gained access to and copied source code repositories.
More recently, password manager LastPass is dealing with unauthorized access to its code base, resulting in a threat actor copying a backup of its customer vault data, potentially compromising over 33 million registered users.
The exploitation of open-source software is due to its relatively low cost of entry and high effectiveness. Malicious actors can scan open-source code for vulnerabilities for other means of attack, even if open-source code theft doesn't always lead to customer account breaches directly.
Corporate stakeholders are increasingly concerned about understanding the risk calculus of their technology stacks, with the lingering question: Are we a target? The evolving role of CISOs involves better understanding this risk calculus to determine if their organizations are potential targets.
Unresolved security issues in open-source software often come down to priorities and the need for more organizations to invest time and resources in development, scanning, and testing. Keeping up with this attack vector without a major change in how these libraries get delivered into software that uses them is becoming increasingly difficult.
In a positive note, nearly one-third of the applications studied by Veracode were found to have flaws at the first scan. This suggests that early detection and remediation can significantly reduce the risk posed by these vulnerabilities.
Veracode identified nearly 30,000 open-source repositories publicly hosted on GitHub and actively used by its customers. Of those repositories, one in ten only had a single developer, highlighting the importance of collaboration and shared responsibility in maintaining the security of open-source software.
As the reliance on open-source software continues to grow, so does the need for vigilance and proactive measures to ensure the security of these resources. Organizations must prioritize the identification and remediation of vulnerabilities in their open-source software to protect their sensitive data and maintain the trust of their customers.
