Software written in the past few years is less error-prone on the whole and therefore more resistant to cyberattacks. But that by no means indicates that open-source coding is always safe to use, security researcher Synopsis cautions.
The analyst scrutinzed open-source coding over a three-year period, and found that in 2022 the software tests it ran detected vulnerabilities in just 83% of cases, as opposed to 95% the previous year, and 97% in 2020.
“The continual decrease in overall vulnerabilities is an encouraging sign that development teams are improving their ability to write error-free code and that practices such as code reviews, automated testing, and continuous integration are helping to reduce common programming errors,” said Synopsis.
It believes this is due to advances in programming that enable “built-in checks and tools that help developers catch errors before they become significant issues.”
This extra due diligence has been more widely reflected throughout the open-source community, with developers intensifying their “scrutiny of code, leading to higher quality standards.”
Not out of the woods yet
Unfortunately, that doesn’t mean the cybercriminal ghost has been laid to rest once and for all. Older and less popular open-source coding projects remain vulnerable, with Synopsis citing parallel research that finds a fifth of such that were begun last year have since been abandoned.
A ditched code is more prone to exploitation, and given that nine-tenths of software uses at least one open-source package, this could still spell trouble for organizations that depend on it.
“The tests underscore the ongoing dangers posed by vulnerable third-party libraries and the need for robust software supply-chain security in software development environments,” said Synopsis.
Across the three-year span of its research, Synopsis found that just over a quarter of software it scrutinized (27%) had “high-severity vulnerabilities” with another 6% found to be in its “critical” category.
Cross-site scripting was the most popular form of attack against vulnerable code detected in the former, less severe category, while sequence-query-language injections topped the list for the latter, more severe, class.
Devil in the details
More worryingly, the overall trend of declining vulnerabilities during the same period is reversed when one focuses only on critical-level severity weaknesses – which rose from 4.5% in 2020 to 6.7% last year.
“The numbers reflect that high- and critical-severity vulnerabilities have been increasing in the past few years and hit an all-time high in 2022,” said Synopsis, adding that around four in five issues reported in 2022 were either medium or high severity, with about one in six (16%) deemed critical.
It added: “While development teams are reducing overall vulnerabilities, the data indicates that many medium- through critical-severity vulnerabilities require more robust testing – such as penetration testing – in order to be uncovered.”
And if software coders have upped their game, so too have the cybercriminals, who are increasingly benefiting from advanced automation techniques to mount more devastating attacks.
“With more attackers using automated exploitation tools that can attack thousands of systems in a matter of seconds, fixing high- and critical-risk vulnerabilities can become urgent whenever those vulnerabilities are discovered,” said Synopsis.
Warning that more than half of reported vulnerabilities are exploited by attackers within a week of disclosure, Synopsis added: “Security or vulnerability issues in deployed applications tend to cascade downhill, not only through their potential of disrupting an organization’s – or its customers’ – business operations, but also through their impact on the entire [...] software supply chain.”
More from Cybernews:
Subscribe to our newsletter