Researchers find 633% increase in cyber-attacks aimed at open source repositories

by | Oct 19, 2022 | News

Premium Content

Patreon

Subscribe to Patreon to watch this episode.

Reading Time: 3 Minutes

Researchers warn that there has been a 633% year-over-year increase in cyber-attacks launched against open source software repositories.

 

Open source components, frameworks, libraries, and whole platforms are relied upon by organizations during multiple stages of the software development lifecycle. These components provide the lynchpins for communication, software capabilities, security, and user interactions – and as they are developed and reviewed by communities, open source promotes innovation in the software space.

However, the other side of the coin is that open source contributors are volunteers; therefore, security issues can sometimes slip through the net. Furthermore, IT teams may not be aware of what open source software is in use and so they might easily miss patch alerts and upgrades that impact their business.

New research suggests that cyber-attackers – well aware of organizational reliance on open source software – are increasing their attempts to compromise repositories year on year.

According to Sonatype’s 8th Annual State of the Software Supply Chain report, known attacks against open source repositories have increased by 633% year-over-year, and there has been an annual, overall increase of 742% since 2019.

After analyzing data from public and proprietary sources, the software supply chain security firm said that the popularity and growth of open source software continues to climb. The four main ecosystems – JavaJavaScript, Python, and .NET – tied to open source development are set to go beyond three trillion downloads in the near future.

However, this popularity has security ramifications.

See Also: So you want to be a hacker?
Complete Offensive Security and Ethical Hacking Course

Technical debt

 

“The amount of third-party code flowing through software supply chains occurs on a massive scale,” the researchers said. “Yet published code accrues technical debt over time, creating the potential for compounded security vulnerabilities, if not kept up-to-date.”

According to the researchers, 1.2 billion Java dependencies known to be vulnerable, for example, are downloaded each month while new, patched, or improved versions are ignored.

Sonatype said this is a prime example of “non-optimal consumption behaviors as the root of open source risk”.

“This is in contrast to public discussion, which often associates security risk with open source maintainers,” the report added.

Risky business

 

Risky behavior is not necessarily anyone’s fault. Developers tasked with managing dependencies face more complexity in their roles than ever, with the average Java application containing 148 dependencies – 20 more than 2021’s average – and going through an average ten updates a year.

Each dependency could contain vulnerabilities, so developers must track potentially thousands of changes per year, per app. Therefore, mistakes will be made.

Brian Fox, co-founder and CTO of Sonatype said that “the overwhelming tide of dependency intelligence that developers must interpret in their daily development process is at odds with prioritizing good software quality”.

It is, therefore, critical that education on the potential risk of outdated, vulnerable open source software is understood, and teams should consider adopting automation to lighten the load.

Fox added: “[The] sobering reality demonstrates the immediate need for organizations to prioritize software supply management so that they can better deal with security risk, increase developer efficiency, and enable faster innovation.”

Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?

If you want to express your idea in an article contact us here for a quote: [email protected]

Source: portswigger.net

Source Link

Merch

Recent News

EXPLORE OUR STORE

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!


Information Security Solutions

Find out how Pentesting Services can help you.


Join our Community

Share This