Researchers find 633% increase in cyberattacks targeting open source repositories

Charlie Osborne October 18, 2022 at 15:21 UTC

Updated: October 18, 2022 4:07 PM UTC

Wave of attacks blamed on ‘avoidable’ bugs

Researchers warn that there has been a 633% year-over-year increase in cyberattacks launched against open source software repositories.

Open source components, frameworks, libraries, and entire platforms are used by organizations during different stages of the software development lifecycle. These components provide the keystones of communication, software capabilities, security, and user interactions – and as they are developed and reviewed by communities, open source drives innovation in the software space.

However, the flip side is that open source contributors are volunteers; therefore, sometimes security issues can slip through the net. Additionally, IT teams may not know what open source software is being used and therefore can easily miss patch alerts and upgrades that impact their business.

Keep up to date with the latest news and analysis on open source software

New research suggests that cyber attackers – well aware of the organizational reliance on open source software – are increasing their attempts to compromise repositories year after year.

From the 8th of Sonatype Annual State of the Software Supply Chain report, known attacks against open source repositories have increased by 633% year over year, and there has been an overall annual increase of 742% since 2019.

After analyzing data from public and proprietary sources, the software supply chain security firm said the popularity and growth of open source software continues to climb. The four main ecosystems – Java, JavaScript, Python and .NET – related to open source development are expected to exceed three trillion downloads in the near future.

However, this popularity has security ramifications.

Technical debt

“The amount of third-party code circulating in software supply chains is happening at scale,” the researchers said. “Yet published code accumulates technical debt over time, creating the potential for compounded security vulnerabilities, if not kept up to date.”

According to the researchers, 1.2 billion Java dependencies known to be vulnerable, for example, are downloaded each month while new, patched or improved versions are ignored.

Sonatype said it was a prime example of “suboptimal consumer behavior as the root of open source risk.”

“This stands in contrast to public debate, which often associates security risk with open source maintainers,” the report adds.

Risky business

Risky behavior is not necessarily anyone’s fault. Developers responsible for managing dependencies are more complex than ever in their roles, with the average Java application containing 148 dependencies – 20 more than the 2021 average – and passing an average of ten updates per year.

Each dependency can contain vulnerabilities, so developers must track potentially thousands of changes per year, per application. Therefore, mistakes will be made.

Brian Fox, co-founder and CTO of Sonatype said that “the overwhelming tide of dependency intelligence that developers must interpret in their daily development process is at odds with prioritizing good software quality.”

It is therefore essential that education about the potential risk of outdated and vulnerable open source software is understood, and teams should consider adopting automation to lighten the load.

Fox added:[The] The sobering reality demonstrates the immediate need for organizations to prioritize software supply management to better manage security risks, increase developer efficiency, and enable faster innovation. .

YOU MIGHT ALSO LIKE Linux Foundation’s David A Wheeler on CVE’s reversal of the tide

Comments are closed.