Vulnerabilities often go undetected for more than four years before being disclosed

 GitHub reported in its 2020 “State of the Octoverse” report that vulnerabilities often go undetected for more than four years before being disclosed. We have seen live bugs in high profile open source codebase for decades, as demonstrated by the Shellshock vulnerability in Bash that enabled an attacker to gain unauthorized access. This was discovered in 2014 and was isolated to code added in 1989. A recent example is the Dirty Cow privilege escalation vulnerability in Linux kernel versions before 2018 (CVE-2016-5195), which took nine years and one month to fix.

It only takes a single third party component from an upstream developer to unintentionally or maliciously slip in a vulnerability that has a cascade effect, introducing vulnerabilities that propagate and persist throughout the ecosystem, potentially for years. Alerts about known vulnerabilities help to get code patched, but the reuse of OSS projects and libraries over many years leads to complex ‘trees of dependencies’ that make it difficult to ensure all uses of the code are patched. In the meantime, malicious actors have the opportunity to exploit the vulnerability.

The OSS process could facilitate security, but it is difficult for a computer science or computer engineering community to sustain uniform best of breed security by design principles. In general, it has been challenging for OSS to reach the level of security often required. At a minimum, the OSS crowdsourcing approach needs to have a rigorous security management process established so that the openness and many eyeballs can address bug fixing and vulnerability removal.