Snyk recently released its fourth annual 'State of Open Source Security' report, which analyzed open source statistics, vulnerability trends and security culture.
A new report by developer-first security company Snyk found encouraging reductions in open source vulnerabilities in 2019, but plenty of room for improvements when it comes to open source security.
Released Thursday, Snyk's "State of Open Source Security" report determined that new vulnerabilities were down almost 20% across the most popular ecosystems in 2019 compared with 2018, with cross-scripting vulnerabilities being the most commonly reported. On the other hand, container and orchestration challenges remained worrisome. More than 30% of survey participants said they do not review Kubernetes manifests for insecure configurations. In addition, the official node image was found to have almost 700 known vulnerabilities.
Snyk surveyed more than 500 developers, security practitioners and operations technologists. The report contains internal data from the Snyk vulnerability database, as well as research and data published by various sources that include aggregated data from scanning the millions of repositories in GitHub, GitLab, Bitbucket and others.
Open source vulnerabilities in container images
While there are multiple concerning take-aways from the report, security around container images tops the list, according to Snyk application security advocate Alyssa Miller.
"It's not just the numbers that make me nervous -- it's the fact that I've seen talk in the developer community where there's an assumption made that if a container image is marked as an official image then it's automatically secure," Miller said. "We looked at the top 10 most popular container images out there and every one of them, say for one, had significant numbers of vulnerabilities in it."
Most container images were found to have 60 to 80 vulnerabilities, Miller said.
"You can't assume because a container image is marked as official, that it's automatically devoid of vulnerabilities. That's not how this stuff works. There are containers that are built, they're managed by somebody, but just like any other open source, as vulnerabilities are found in the dependency of those containers, they have to go back and rebuild those containers and upload them again," Miller said. "It's software, and at the end of the day containers are just software so vulnerabilities are going to happen, so do your regular security hygiene."
It's software, and at the end of the day containers are just software so vulnerabilities are going to happen, so do your regular security hygiene.
Alyssa MillerApplication security advocate, Snyk
According to the report, official base images tagged as latest include known vulnerabilities, like the node image. Base images are important because they are a starting point.
"Base images are those images that are available to you in the open source community. Things that you can pull. I can make changes, but that's my starting point, and so leveraging a slimmed down image, it's a lot easier to take a slim base image and then build on it," Miller said. "The node one is great because it's an extreme example. Six hundred and eighty-seven, I think, vulnerabilities in that thing, but that's because if I go and pull node latest, it pulls the biggest buster image, whereas if I go grab a node slim, suddenly I see 95% fewer vulnerabilities. It's like 40-something because now you've got this slim package."
According to Miller, one way to minimize an attack surface is to pull a container image that's appropriately marked for the particular service or app a user needs.
Another way to minimize an attack surface is to utilize the configuration settings provided by Kubernetes, a popular open source program for managing Linux containers.
"Things like setting CPU and memory limits, preventing the use of root attack, setting audit logging. You can also specifically exclude certain known vulnerable libraries from being included," Miller said. "It's all the same stuff we did on PRAM physical hardware; it's the same challenges, it's just now in software and it's all software-defined, code-defined. So, while it's the same battle you would expect the remediation to be a little easier."
One vulnerability trend that's harder to identify is prototype pollution, because it's code-based.
"Two prevalent prototype pollution vulnerabilities resulted in an impact on over 25% of scanned projects," Snyk wrote in the report. Those two are JQuery and Lodash.
While respondents to Snyk's survey didn't see many reports of prototype pollution, the ones they did see had a strong impact, Miller said.
"They were showing up in very popular JavaScript packages. I think Lodash, we looked and there was something like 4.3 million projects in GitHub that were using it. It's not as well understood as something like cross script, and you have to do static analysis to locate it. You're not going to find it through a dynamic test, and the attack vector comes through code as well," Miller said. "So, it's difficult to find, which explains why we see low numbers of them, and it's also why I think more popular packages, more well-maintained and highly scrutinized packages would have those type of vulnerabilities because they are more commonly looked for."
More groups taking responsibility for security
In addition to the reduction in open source vulnerabilities, Miller said changes in security culture are also shifting in a positive direction.
"Last year when we asked people who is responsible for software security, everyone put the weight solely on the developers' shoulders -- 85% said developers, but only 25% thought security and 21% thought ops. This year, it was the same 85% for developers, but we saw security come up to 55% and even ops rose to 35%," Miller said. "To me, that is encouraging because when you think DevSecOps, that's what it's all about. Everyone is responsible for delivering software that's secure. Seeing that change in attitude, reductions in vulnerabilities, seeing that well-discussed vulnerabilities, while we're finding lots of them, they're not impacting lots or projects and all of that is promising stuff."
