Open Source Risk Report shows increase in vulnerabilities and attacks using malicious packages causing greater challenges for security teams
TEL AVIV, Israel and BOSTON, Dec. 15, 2022 /PRNewswire/ -- Mend, a leader in application security, launched its Open Source Risk Report today that reveals the significant risk posed by the ongoing rise in open source vulnerabilities and software supply chain attacks. According to the report, the number of open source vulnerabilities that Mend identified and added to its vulnerability database in the first nine months of 2022 was 33 percent greater than the first nine months of 2021, reflecting both the growth in the number of published open source packages and the acceleration of vulnerabilities. As businesses continue to heavily rely on their applications for success, this growing threat is a mounting concern.
Open Source Vulnerabilities Add to Security Debt
The report's representative sampling through January to September 2022 of approximately 1,000 North American companies found that only 13 percent of vulnerabilities seen were remediated, compared with 40 percent remediated by those using modern application security best practices. With open source code used in 70 to 90 percent of applications today, more companies are finding themselves vulnerable to attacks as threat actors take advantage of the remediation gap.
"As security debt continues to rise, it's crucial to find a way to prioritize the vulnerabilities that pose the highest risk to avoid falling victim to an attack," said Jeffrey Martin, VP Product Management at Mend. "Using remediation tools that can assess and prioritize the vulnerabilities that can most heavily impact systems is an important element to managing security debt. Organizations should not just pay attention to severity details though, to ensure effective prioritization and remediation, they need to also look at the exploitation context of flaws on their own and in conjunction with others."
While companies remediate thousands of vulnerabilities each month, it takes modern remediation best practices to handle the ongoing wave of new vulnerabilities detected to prevent a growing backlog of vulnerabilities. The increase in open-source vulnerabilities outstrips the estimated 25 percent growth in the amount of open source software available. With applications being the lifeblood of the global economy, regular application security scanning and use of prioritization and remediation tools are essential.
Malicious Packages a Growing Challenge
Attacks using malicious packages are also on the rise. Data from Mend Supply Chain Defender shows a steady quarterly increase in malicious packages published, which jumped 79 percent from Q2 to Q3 2022. At least 10 malicious packages were published each day to package managers npm and rubygems. On top of this, more packages today contain telemetry, which enables data collection, and some are now built into a supply chain, such as when valid content has a dependency containing malicious code.
"While the amount of malicious packages has increased, sophistication is also slowly catching up. We are starting to see intermediate evasion techniques be layered over basic evasions," said Maciej Mensfeld, Director Product Manager at Mend. "In the ongoing security cat and mouse game, we know malicious actors are always motivated to overcome obstacles they might encounter. To stay ahead of attacks, companies need to ensure they're leveraging application security tools, particularly those that scan for malicious packages like Mend Supply Chain Defender."
About the Report
The report examines data from multiple sources including the Mend vulnerability database, Mend Supply Chain Defender, and a representative sampling of approximately 1,000 North American companies from January to September 2022. The Mend vulnerability database provides information on open source security vulnerabilities aggregated from the NVD, dozens of security advisories, peer-reviewed vulnerability databases, and popular open source issue trackers. Mend Supply Chain Defender, a solution that helps enterprises defend the software supply chain, has performed more than 150 million secured package checks and has scanned almost 9 million packages since 2020. The representative sampling was used to compile data on critical and high severity vulnerabilities and remediation to present a snapshot into the state of open source security from the user perspective.
To download a full copy of the report, visit here.
About Mend
Mend, formerly known as WhiteSource, effortlessly secures what developers create. Mend uniquely removes the burden of application security, allowing development teams to deliver quality, secure code faster. With a proven track record of successfully meeting complex and large-scale application security needs, the world's most demanding software developers rely on Mend. The company has more than 1,000 customers, including 25 percent of the Fortune 100, and manages Renovate, the open source automated dependency update project. For more information, visit www.mend.io, the Mend blog, and Mend on LinkedIn and Twitter.
CONTACT:
Carol Hildebrand
Director of Content Marketing, Mend
[email protected]
SOURCE Mend.io
WANT YOUR COMPANY'S NEWS FEATURED ON PRNEWSWIRE.COM?
Newsrooms &
Influencers
Digital Media
Outlets
Journalists
Opted In
Share this article