Enterprises are finding open source so alluring that vulnerabilities are less important

The Equifax data breach of 2017 was a bad one. Just how bad it ended up being was only revealed in May this year. This isn’t for the faint of heart: 209,000 payment cards, 99 million addresses, and more than 146 million people affected.

Yet these revelations have had little effect on organisations using vulnerable open source software. According to the latest State of the Software Supply Chain report from Sonatype, the trend of hackers injecting vulnerabilities directly into open source projects is increasing, with use of vulnerable components increasing by 120% year over year.

The amount of time taken between a vulnerability being exposed and exploited continues to diminish. According to Gartner, IBM and Sonatype data, back in 2006 it would take an average of 45 days for a vuln to be exploited. Today, it takes on average three days.

Indeed, the report notes one detail which ‘did not receive sufficient attention’: it was three days between the Apache Struts vulnerability being made public and the initial Equifax breach. Since the breach, in March 2017, there have been an estimated 80,000 vulnerable Struts downloads per month.

The attack landscape is changing, to cause enough concern, but automation is causing even more headaches for enterprises. “According to a Ponemon Institute/ServiceNow survey, the majority of respondents agreed that attackers are outpacing enterprises with technology such as machine learning and artificial intelligence,” the report notes. “The same survey reports [that] 53% of respondents said the time window for patching – the time between patch release and hacker attack – has decreased an average of 29% over the last two years.

“As AI-fuelled attacks become more prevalent, we expect that window to shrink even further.”

The rise of cryptomining through Struts vulnerabilities has also been noted in the report. As sister publication CloudTech put it back in July, the method is quickly becoming the ‘attack vector du jour’, with Coinhive, which mines the Monero cryptocurrency, the leading miner. “While data theft continues to be lucrative, it’s also risky,” the report explains. “A successful thief must find someone willing to buy the data – which increases their risk of being caught.

“In light of this risk variable and the rapidly rising value of cryptocurrency, some cyber criminals have shifted gears and are now exploiting open source to steal computing resources to actively mine cryptocurrency.”

Demand continues to only go in one direction. More than 15,000 new or updated open source releases are made available to developers each day, while enterprises downloading Java components went up 36% year on year. The report also notes that almost 20 different governmental organisations around the world have called for improved open source software security and governance.

“As with any technology, open source software components deliver many advantages. They also come with their own set of risks,” said Scott Crawford, information security research director at 451 Research. “Before an organisation can assess these exposures, an accurate and up-to-date inventory of OSS components is required.

“This year’s State of the Software Supply Chain report shows that too many organisations are still failing at this most basic line of cyber hygiene,” added Crawford.

You can read the full report here (email required).

Related Stories

Leave a comment

Alternatively

This will only be used to quickly provide signup information and will not allow us to post to your account or appear on your timeline.