Skip to main content

Snyk State of Open Source Security Report Reveals Vulnerabilities Down as Cybersecurity Responsibilities Are More Effectively Shared Across Teams

wordpress-sync/Header-SoOOS-9

2020年6月25日

BOSTON, June 25, 2020 /PRNewswire/  Snyk, the leader in developer-first security, released its annual State of Open Source Security Report for 2020 today. The study found new vulnerabilities in open source packages were down 20% compared to last year suggesting security of open source packages and containers are heading in a positive direction. Well known vulnerabilities, such as cross-site scripting, continue to be reported but aren't impacting as many projects as they have in previous years. This is further encouraged as organizations start to drive a culture shift that embodies open source and container security as a core responsibility shared and integrated across development, security and operations teams.

This year the report took an even deeper look at vulnerability and ecosystem-level trends that impact the overall security posture of organizations relying on open source libraries. Across the six popular ecosystems the report examined, there were fewer new vulnerabilities reported in 2019 than in 2018 - a promising finding - but there are still significant improvements to strive for with slightly less than two thirds of vulnerabilities still taking more than 20 days to remediate.

While well-known vulnerabilities such as cross site scripting are reported in high numbers, the number of projects they impact are fairly low. These common threats appear to be getting caught and remediated early unlike some lesser known vulnerabilities. For example, the report found certain vulnerabilities were reported in highly popular packages, affecting thousands of projects and thereby increasing the probability of them being exploited by attackers. Based on the 2020 report, the top vulnerability currently impacting scanned projects is prototype pollution in nearly 27% of all projects.

For the first time in the last four years, the Snyk report highlighted a big shift in security mindset as organizations start embracing the core elements of DevSecOps and begin implementing more scalable programs and best practices to ensure shared responsibility. When respondents were asked the multi-answer question about who they felt should be responsible for designing and implementing security controls in their software development, development teams were commonly identified in addition to operations and security teams. This is a much more even spread across the three different teams compared to last year in which less than 25% felt security and operations played a role. However, the fact the responses were all less than 65% still indicates that respondents did not typically identify all three groups as jointly being responsible. While progress has been made, it's clear there is still a need for a more significant shift towards a shared-responsibility culture.

"This year's report is very encouraging as we are seeing the volume of open source vulnerabilities trending down for the first time in four years. In addition, there are positive trends emerging around the collaboration of development, security and operations teams to address the growing demand for secure application development," said Alyssa Miller, Application Security Advocate, Snyk. "Despite the year over year progress, we must continue to prioritize security and empower organizations to implement programs to help drive DevSecOps and developers to be involved in securing their code from the very beginning. We need to focus on continuing these efforts to ensure these emerging trends continue on this positive trajectory in 2021 and beyond."

The annual State of Open Source Security Report published by Snyk was completed by more than 500 developers, security practitioners, and operations technologists. Internal data from the Snyk vulnerability database, as well as correlated data from the hundreds of thousands of projects currently monitored and protected by Snyk. The report included research and data published by various sources that include aggregated data from scanning the millions of repositories in GitHub, GitLab, Bitbucket, and others.

Other notable highlights from the 2020 report include:

Open source statistics

Open source ecosystems continue to expand, led by npm which grew over 117% in 2019 and spanning over 1,300,000 packages to this date.

The majority of open source vulnerabilities continue to be discovered in indirect dependencies:

  • npm: 86%

  • Ruby: 81%

  • Java: 74%

Vulnerability trends

  • New vulnerabilities were down almost 20% across the most popular ecosystems in 2019.

  • Cross-site scripting vulnerabilities were the most commonly reported.

  • Two prevalent prototype pollution vulnerabilities resulted in an impact on over 25% of scanned projects.

  • New vulnerabilities reported in common Linux distributions demonstrate the need for comprehensive monitoring for new vulnerabilities in container images.

  • SQL Injection vulnerabilities, while decreasing in prevalence in most ecosystems, have increased over the last three years in PHP packages.

Container & orchestration challenges

  • Official base images tagged as latest include known vulnerabilities; in particular the official node image which has almost 700 known vulnerabilities.

  • Over 30% of survey participants do not review Kubernetes manifests for insecure configurations.

  • Requirements for security-related resource controls in Kubernetes are not widely implemented.

Security culture

  • Increasingly, survey respondents feel that security for software and infrastructure should be shared among development, security, and operations roles.

  • However, few organizations have programs in place to develop shared responsibility across the dev, sec, and ops personnel.

Read more and download the 2020 State of Open Source Security report here. Join the Snyk Team on June 30th for a DevSecOps panel discussion on the recent findings and key takeaways. Register here to reserve your spot.

About Snyk

Snyk is a developer-first security company that helps software-driven businesses develop fast and stay secure. Snyk is the only solution that seamlessly and proactively finds and fixes vulnerabilities and license violations in open source dependencies and container images. Snyk's solution is built on a comprehensive, proprietary vulnerability database, maintained by an expert security research team in Israel and London. With tight integration into existing developer workflows, source control (including GitHub, Bitbucket, GitLab), and CI/CD pipelines, Snyk enables efficient security workflows and reduces mean-time-to-fix. For more information or to get started with Snyk for free today, visit https://snyk.io.