.png)
The number of disclosed open source software vulnerabilities in 2019 reached over 6000, up from just over 4,000 in 2018, a new WhiteSource report says.
“This can be attributed to the rise in awareness to open source security following the widespread adoption of open source components and the massive growth of the open source community over the past few years, along with the media attention directed at recent data breaches,” the company noted.
Discovery, disclosure and listing
WhiteSource has surveyed over 650 developers, collected data from the National Vulnerability Database (NVD), security advisories, peer-reviewed vulnerability databases, issue trackers and more, and has found that:
- Over 85% of open source security vulnerabilities are disclosed with a fix already available
- Only 84% of known open source vulnerabilities eventually appear in the NVD, some of them months after their disclosure elsewhere
- C still has the highest percentage of vulnerabilities (30%) due to the high volume of code written in this language. It is followed by PHP (27%) and Java (15%).
Python’s rise in popularity hasn’t been followed by a rise of percentage of vulnerabilities, whether that’s a result of secure coding practices and not lax security research for Python projects is unknown.
The nature of the vulnerabilities
The most common security weaknesses (CWEs) in 2019 were cross-site scripting flaws (XSS), followed by improper input validation vulnerabilities and buffer errors:
The 2019 top 5 list differs minimally from the list of the year before – in 2018, buffer errors were second on the list and improper input validation bugs third, while the rest of it is the same.
“What’s concerning is that the most common CWE’s are due to simple code errors and imprecise coding, that all developers could avoid by sticking to fairly basic coding standards,” the researchers pointed out.
“While they are not in the top five, it’s interesting that CWE-352 — Cross-Site Request Forgery (CSRF), has emerged in the top 10 CWEs this year, and that CWE-89 — SQL Injection, re-emerged after it wasn’t one of the top CWE’s since 2015. This might be due to an increase in the volume of open source web projects developed, and it might indicate that web vulnerabilities are on the rise and something we should be mindful of when coding.”
from Help Net Security https://ift.tt/3cXjHTW
Okay...
ReplyDeleteThis might sound really creepy, and maybe even kind of "strange"
WHAT if you could simply press "Play" to listen to a short, "miracle tone"...
And suddenly attract MORE MONEY into your LIFE???
What I'm talking about is BIG MONEY, even MILLIONS of DOLLARS!!
Do you think it's too EASY??? Think it's IMPOSSIBLE?!?
Well then, I'll be the one to tell you the news...
Many times the largest miracles life has to offer are the easiest to GET!!
Honestly, I'm going to PROVE it to you by letting you listen to a REAL "magical money-magnet tone" I've produced...
And TOTALLY FOR FREE
You simply click "Play" and watch as your abundance angels fly into your life... starting so fast, you will be surprised...
CLICK here now to enjoy the wonderful "Miracle Money TONE" - as my gift to you!!