Open Source Malware on the Rise, According to Sonatype Report

By

Organizations struggle with persistent risk.

Malware has infiltrated open source ecosystems at an alarming rate, according to Sonatype’s 10th annual State of the Software Supply Chain.

According to the survey report, more than “512,847 malicious packages have been logged just in the past year, a 156% increase year-over-year,” highlighting the need for organizations to better understand and adapt their use of open source software.

Organizations continue to struggle with persistent vulnerabilities, such as Log4j, with 13% of downloads remaining vulnerable three years after the issue was first exposed, the report says. Specifically:

  • 80% of application dependencies remain un-upgraded for more than a year, even though 95% of the vulnerable versions have safer alternatives available.
  • 3.6% of dependencies are still vulnerable because they were updated to another insecure version.
  • Reliance on end-of-life (EOL) components, which no longer receive updates, leads to the gradual breakdown of software integrity.

The report also states that “reducing persistent risk is possible by focusing on tools that help manage dependencies and apply real-time vulnerability detection.” For example, “projects using a Software Bill of Materials (SBOM) to manage OSS dependencies showed a 264-day reduction in mean time to remediate (MTTR) compared to those that did not.”

Read more at Sonatype.
 
 

 
 
 

10/18/2024

Related content

  • News for Admins
  • News for Admins
    AlmaLinux 8.5 Now Available For PowerPC Hardware
  • Kaspersky Warns Linux Attacks on the Rise
  • News for Admins
    In the news: Code execution flaws in PHP; ESET finds malware that targets political activists; bluetooth vulnerability makes spying easy; and open source webmin had backdoor for more than a year;
  • News for Admins
    In the news: StarlingX 8.0 Edge Platform; Synopsys Report Shows "Alarming" Increase in High-Risk Vulnerabilities; Akamai Connected Cloud; Red Hat Enterprise Linux Available on Oracle Cloud; Wine 8.0; LibreOffice 7.5; Veracode Report Tracks Security Flaws Over the Application Lifecycle; and Malware Remains Top Cause of Cybersecurity Incidents.
comments powered by Disqus