Inconsistent or delayed code commits create risk as repositories age, Veracode research found.
Vulnerabilities and undiscovered flaws are abundant on open source GitHub repositories, hoisting risk and potential exposure upon the organizations that rely on these code bases, according to Veracode research published Tuesday.
Inconsistent or delayed code commits and improper scanning create risk as repositories age, the application security company said in its annual State of Software Security report.
Enterprises assume another realm of potential exposure when source code, a common target for threat actors, is stored in open-source repositories such as GitHub. The identity and access management platform Okta said its source code repositories on GitHub were accessed and copied by a threat actor in December 2022.
Password manager LastPass is also dealing with unauthorized access of its code base, which resulted in a threat actor copying a backup of its customer vault data, potentially compromising more than 33 million registered users. LastPass did not specify what code repository it used.
While open source code theft doesn’t always directly lead to customer account breaches, malicious actors can scan the code for vulnerabilities for other means of attack.
The amount of vulnerabilities in open-source repositories on GitHub can be partially linked to the age and cadence of commits made to each code base, according to Veracode.
“When developers add an open source library to their application, 79% of the time they never go back to update it, so any flaws would continue to accumulate,” Chris Eng, chief research officer at Veracode, said via email.
To measure the fragility of legitimate packages, Veracode identified nearly 30,000 open-source repositories publicly hosted on GitHub and actively used by Veracode customers. Of those repositories, 1 in 10 only had a single developer.
The age of valid repositories in production can cause issues.
The majority of repositories studied by Veracode are between four and 10 years old. One in five had new commits in the past month and half had no commits in the last year.
“While we haven’t yet explored the specific implications for vulnerabilities or code flaws in these stagnant repositories, we suggest that relying too heavily on such repositories may increase the fragility of the overall application,” Eng said.
Nearly one-third of the applications studied by Veracode were found to have flaws at the first scan and more than two-thirds contain at least one security flaw after five years in production.
Unresolved security issues in open-source software often comes down to priorities and the unmet need for more organizations to invest time and resources in development, scanning and testing, according to Scott Gerlach, co-founder and CSO at StackHawk, an API security testing firm.
“This vector is being exploited due to its relatively low cost of entry and high effectiveness,” Gerlach said via email. “It’s going to get harder and harder to keep up with such an effective attack vector without a major change in how these libraries get delivered into software that uses them.”
Get the free daily newsletter read by industry experts
CISOs are up against talent shortages and retention concerns amid an increasingly sophisticated threat landscape.
Rates continue to soar, but Marsh research shows the pace of increases is slowing.
Keep up with the story. Subscribe to the Cybersecurity Dive free daily newsletter
Keep up with the story. Subscribe to the Cybersecurity Dive free daily newsletter
Subscribe to Cybersecurity Dive for top news, trends & analysis
Get the free daily newsletter read by industry experts
Want to share a company announcement with your peers?
Get started ➔
CISOs are up against talent shortages and retention concerns amid an increasingly sophisticated threat landscape.
Rates continue to soar, but Marsh research shows the pace of increases is slowing.
The free newsletter covering the top industry headlines
