Vulnerabilities and undiscovered flaws are abundant on open source GitHub repositories, hoisting risk and potential exposure upon the organizations that rely on these code bases, according to Veracode research published Tuesday.
Inconsistent or delayed code commits and improper scanning create risk as repositories age, the application security company said in its annual State of Software Security report.
Enterprises assume another realm of potential exposure when source code, a common target for threat actors, is stored in open-source repositories such as GitHub. The identity and access management platform Okta said its source code repositories on GitHub were accessed and copied by a threat actor in December 2022.
Password manager LastPass is also dealing with unauthorized access of its code base, which resulted in a threat actor copying a backup of its customer vault data, potentially compromising more than 33 million registered users. LastPass did not specify what code repository it used.
While open source code theft doesn’t always directly lead to customer account breaches, malicious actors can scan the code for vulnerabilities for other means of attack.
The amount of vulnerabilities in open-source repositories on GitHub can be partially linked to the age and cadence of commits made to each code base, according to Veracode.
“When developers add an open source library to their application, 79% of the time they never go back to update it, so any flaws would continue to accumulate,” Chris Eng, chief research officer at Veracode, said via email.
To measure the fragility of legitimate packages, Veracode identified nearly 30,000 open-source repositories publicly hosted on GitHub and actively used by Veracode customers. Of those repositories, 1 in 10 only had a single developer.
The age of valid repositories in production can cause issues.
The majority of repositories studied by Veracode are between four and 10 years old. One in five had new commits in the past month and half had no commits in the last year.
“While we haven’t yet explored the specific implications for vulnerabilities or code flaws in these stagnant repositories, we suggest that relying too heavily on such repositories may increase the fragility of the overall application,” Eng said.
Nearly one-third of the applications studied by Veracode were found to have flaws at the first scan and more than two-thirds contain at least one security flaw after five years in production.
Unresolved security issues in open-source software often comes down to priorities and the unmet need for more organizations to invest time and resources in development, scanning and testing, according to Scott Gerlach, co-founder and CSO at StackHawk, an API security testing firm.
“This vector is being exploited due to its relatively low cost of entry and high effectiveness,” Gerlach said via email. “It’s going to get harder and harder to keep up with such an effective attack vector without a major change in how these libraries get delivered into software that uses them.”