Many security vulnerabilites take a seriously long time to be fully disclosed, putting businesses and users alike at risk of further attack, new research has revealed.
With over 56 million developers, GitHub is the world’s largest platform for open source developers, and as part of its annual Octoverse survey, the platform discovered that a vulnerability usually goes undetected for about 218 weeks.
That’s just over four years, and while it might sound like a lot, GitHub points to the RAND report on zero-day vulnerabilities, which discovered that exploits surviving for five years before being publicly discovered and disclosed, wasn’t unheard of.
The open source community is better placed, as GitHub discovered that over 80% of the CVEs it sends alerts for “are due to mistakes rather than malicious intent.” Even then the GitHub report points out that once a vulnerability has been identified it doesn’t take long for the community to release a fix.
Securing the supply chain
GitHub has been very vocal about securing the open source supply chain, noting that, “94% of projects rely on open source components, with nearly 700 dependencies…so when there’s a problem with security in the supply chain, you see a massive ripple effect.”
It reaffirms its position in the Octoverse report saying that the security findings “highlights the opportunities to improve vulnerability detection in the security community. The key is to leverage automated alerting and patching tools to secure your software quickly.”
Octoverse is the annual survey that GitHub conducts among its large cache of projects and developers in a bid to get the pulse of the community. In addition to security, the report also looks into developer productivity, and how collaboration and development patterns have shaped in light of the global pandemic.