Security issues can go undetected for years before being disclosed: GitHub report

Hemani Sheth Mumbai | Updated on December 03, 2020 Published on December 03, 2020

Most vulnerabilities are from mistakes, not malicious attacks

Security vulnerabilities can often go undetected for over four years before they are disclosed, according to the latest 2020 Security report by GitHub.

As per the report, vulnerabilities can often not be detected for more than for years. Once they are disclosed, developers may take over four weeks to fix these vulnerabilities.

“Once they are identified, the package maintainer and security community typically create and release a fix in just over four weeks. This highlights the opportunities to improve vulnerability detection in the security community,” the report said.

However, the majority of vulnerabilities arise from mistakes and not malicious attacks.

“Most vulnerabilities are from mistakes, not malicious attacks: While malicious attacks are more likely to get attention in security circles, 83 per cent of the CVEs that GitHub sends alerts for are due to mistakes rather than malicious intent,” as per the report.

Active repositories with a supported package ecosystem have a 59 per cent higher chance of getting a security alert in the next 12 months.

Software packages based on Ruby (81 per cent) and JavaScript (73 per cent) are most likely to receive an alert in the last 12 months.

Apart from this, the report also states that 94 per cent of projects rely on open source components. These have approximately 700 dependencies. This makes the projects more vulnerable in terms of security.

“Most projects on GitHub rely on open-source software. We see the most frequent use of open source dependencies in JavaScript (94 per cent), Ruby (90 per cent), and .NET (90 per cent). A repository can have hundreds of dependencies, so when there’s a problem with security in the supply chain, you see a massive ripple effect,” the report added.

Automation can help improve security and provide a security patch for vulnerabilities faster, as per the report.

Follow us on Telegram, Facebook, Twitter, Instagram, YouTube and Linkedin. You can also download our Android App or IOS App.

Published on December 03, 2020
This article is closed for comments.
Please Email the Editor