Sunday, March 7, 2021
  • Setup menu at Appearance » Menus and assign menu to Top Bar Navigation
Advertisement
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
No Result
View All Result
Home Internet Security

More than 75% of all vulnerabilities reside in indirect dependencies

June 26, 2020
in Internet Security
More than 75% of all vulnerabilities reside in indirect dependencies
585
SHARES
3.3k
VIEWS
Share on FacebookShare on Twitter

The vast majority of security vulnerabilities in open-source projects reside in indirect dependencies rather than directly and first-hand loaded components.

“Aggregating the numbers from all ecosystems, we found more than three times as many vulnerabilities in indirect dependencies than we did direct dependencies,” Alyssa Miller, Application Security Advocate at Snyk, told ZDNet in an interview discussing Snyk’s State of Open Source Security for 2020 study.

You might also like

CISA issues emergency directive to agencies: Deal with Microsoft Exchange zero-days now

Linux distributions: All the talent and hard work that goes into building a good one

Check to see if you’re vulnerable to Microsoft Exchange Server zero-days using this tool

The report looked at how vulnerabilities impacted the JavaScript (npm), Ruby (RubyGems), Java (MavenCentral), PHP (Packagist), and Python (PyPI) ecosystems.

Snyk said that 86% of the JavaScript security bugs, 81% of the Ruby bugs, and 74% of the Java ones impacted libraries that were dependencies of the primary components loaded inside a project.


Image: Snyk

Snyk argues that companies scanning their primary dependencies for security issues without exploring their full dependency tree multiple levels down would release or end up running products that were vulnerable to unforeseen bugs.

But while security bugs were prevalent in JavaScript, Ruby, and Java, it was not in PHP and Python, where the vast majority of bugs were in the direct dependencies (primary components). However, there’s a reason for that.

“I honestly find it’s more a matter of the development approach within ecosystems themselves,” Miller told ZDNet.

“Java and Node.js projects, in particular, seem to leverage dependencies a lot heavier than other ecosystems. In particular, when you look at the sheer size of the Node.js ecosystem, packages building off or leveraging key functionality from other packages is very much the norm.

“Ask any Node developer, and they probably have a story of waiting for long periods to open a project while npm is trying to pull all the necessary dependencies,” Miller added. “One of our favorite examples is an 80 line Java application that specifies 7 dependencies. When you walk the entire dependency tree, however, you find 59 sub-dependencies, and suddenly, the 80 lines of code turns into 740,000 lines.

“That ‘stranger danger,’ as we like to nickname it, is at the heart of some high profile breaches and a key cause of complexity in terms of software supply chain security,” Miller said.

A few bugs had a large impact

But the Snyk team didn’t just look at the location of these bugs in the open-source ecosystem, but also at what type of bugs they were.

Another interesting finding is that most of the new security flaws discovered in 2019 were cross-site scripting (XSS) bugs, but despite their high number, these impacted only a small portion of real-world projects.

Instead, two-dozen prototype pollution bugs had the biggest impact of all bugs discovered last year, affecting more than 115,000 different open source projects, and probably even more private ones.

Of these, the prototype pollution bugs in jQuery and LoDash had the biggest impact, as these frameworks are some of the most widely employed JavaScript development toolsets today.

snyk-vuln-impact-type.png

Image: Snyk

But the Snyk team also pointed to another quirck in their report, namely that “malicious packages” ranked as the second most common type of security issue they found in projects last year.

This refers to open-source libraries that have either been created to be malicious on purpose, or libraries where the developer account was hacked and the code poisoned.

According to Snyk, last year, hacked or malicious packages were the second most common source of security issues for the open-source ecosystem.

“The vast majority, over 87%, were from npm [JavaScript] packages,” Miller told ZDNet.

Fewer security bugs last year, but no reason to celebrate

Furthermore, Snyk also noted a 20% drop in the number of bugs they discovered across all the five ecosystems they scanned.

snyk-vuln-2019.png

Image: Snyk

“It is hard to say for sure [why they dropped],” Miller said. “The perpetual security skeptic in me says this could just be part of the natural ebb and flow. However, on the optimistic side, we do see some key shifts in the community that could mean it’s more than just a single year outlier.

“For instance, where we saw more Cross-Site Scripting (XSS) vulnerabilities reported than any other vulnerability type, they affected a small portion of the total projects we scanned for the year. That suggests that XSS is likely not impacting more heavily used and therefore matured projects meaning that we are potentially getting traction in secure coding techniques.

“Also, our survey showed that attitudes across the community are starting to see software security as a shared responsibility between developers and security teams (and even to some extent the operations teams),” Miller said.

“That improved cooperation could certainly be helping drive better awareness and tactical measures around secure code and secure use of open source packages.

“Having worked in security for 15 years, I’m certainly not ready to proclaim one year as a sign that things have taken a new direction, but you can bet it’s a trend we’ll continue to watch and see how things look over the coming months and the whole of 2020.”

For additional insights into the general security state of the open-source community, Snyk’s full report is available for download here.


Credit: Zdnet

Previous Post

AI Being Applied to Improve Health, Better Predict Life of Batteries

Next Post

An ideal time for online events to get a makeover

Related Posts

CISA issues emergency directive to agencies: Deal with Microsoft Exchange zero-days now
Internet Security

CISA issues emergency directive to agencies: Deal with Microsoft Exchange zero-days now

March 7, 2021
Linux distributions: All the talent and hard work that goes into building a good one
Internet Security

Linux distributions: All the talent and hard work that goes into building a good one

March 7, 2021
Check to see if you’re vulnerable to Microsoft Exchange Server zero-days using this tool
Internet Security

Check to see if you’re vulnerable to Microsoft Exchange Server zero-days using this tool

March 7, 2021
Cyberattack shuts down online learning at 15 UK schools
Internet Security

Cyberattack shuts down online learning at 15 UK schools

March 6, 2021
Microsoft Exchange zero-day vulnerabilities exploited in attacks against US local governments
Internet Security

Microsoft Exchange zero-day vulnerabilities exploited in attacks against US local governments

March 6, 2021
Next Post
An ideal time for online events to get a makeover

An ideal time for online events to get a makeover

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

January 6, 2019
Microsoft, Google Use Artificial Intelligence to Fight Hackers

Microsoft, Google Use Artificial Intelligence to Fight Hackers

January 6, 2019

Categories

  • Artificial Intelligence
  • Big Data
  • Blockchain
  • Crypto News
  • Data Science
  • Digital Marketing
  • Internet Privacy
  • Internet Security
  • Learn to Code
  • Machine Learning
  • Marketing Technology
  • Neural Networks
  • Technology Companies

Don't miss it

CISA issues emergency directive to agencies: Deal with Microsoft Exchange zero-days now
Internet Security

CISA issues emergency directive to agencies: Deal with Microsoft Exchange zero-days now

March 7, 2021
Why do Machine Learning strategies fail and how to deal with them?
Machine Learning

Why do Machine Learning strategies fail and how to deal with them?

March 7, 2021
Linux distributions: All the talent and hard work that goes into building a good one
Internet Security

Linux distributions: All the talent and hard work that goes into building a good one

March 7, 2021
Enhance your gaming experience with this sound algorithm software
Machine Learning

Enhance your gaming experience with this sound algorithm software

March 7, 2021
Check to see if you’re vulnerable to Microsoft Exchange Server zero-days using this tool
Internet Security

Check to see if you’re vulnerable to Microsoft Exchange Server zero-days using this tool

March 7, 2021
How Optimizing MLOps can Revolutionize Enterprise AI
Machine Learning

How Optimizing MLOps can Revolutionize Enterprise AI

March 6, 2021
NikolaNews

NikolaNews.com is an online News Portal which aims to share news about blockchain, AI, Big Data, and Data Privacy and more!

What’s New Here?

  • CISA issues emergency directive to agencies: Deal with Microsoft Exchange zero-days now March 7, 2021
  • Why do Machine Learning strategies fail and how to deal with them? March 7, 2021
  • Linux distributions: All the talent and hard work that goes into building a good one March 7, 2021
  • Enhance your gaming experience with this sound algorithm software March 7, 2021

Subscribe to get more!

© 2019 NikolaNews.com - Global Tech Updates

No Result
View All Result
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News

© 2019 NikolaNews.com - Global Tech Updates