Introducing the Mend Open Source Risk Report
Table of Contents
Companies can’t function without software and applications, and threat actors know it. And as the importance of software supply chains increases, so has the number of attacks launched at them. To fight back, companies need knowledge, and that’s where the Mend Open Source Risk Report comes in.
The report, which draws data from several sources, including our industry-leading vulnerability database and Mend Supply Chain Defender, delves into the significant risk posed by the ongoing rise in open source vulnerabilities and software supply chain attacks. According to the report, the number of open source vulnerabilities that Mend identified and added to its vulnerability database in the first nine months of 2022 was 33 percent greater than the first nine months of 2021, reflecting both the growth in the number of published open source packages and the acceleration of vulnerabilities. As businesses continue to heavily rely on their applications for success, this growing threat is a mounting concern.
Key findings from the report include:
- 33 percent growth in the number of open source software vulnerabilities that Mend added to its vulnerability database in the first nine months of 2022 compared with the same time period in 2021. This outstrips the estimated 25 percent growth in the amount of open source software available.
- According to a representative sampling of approximately 1,000 North American companies from January to September 2022, only 13 percent of vulnerabilities seen were remediated, compared with 40 percent remediated by those companies using best practices for application security.
- Data from Mend Supply Chain Defender shows a steady quarterly increase in the number of malicious packages published in 2022, with a significant jump in Q3, which increased 79 percent from Q2.
“As security debt continues to rise, it’s crucial to find a way to prioritize the vulnerabilities that pose the highest risk to avoid falling victim to an attack,” said Jeffrey Martin, VP Product Management at Mend. “Using remediation tools to assess and prioritize the vulnerabilities that can most heavily impact systems is an important element to managing security debt. However, organizations should not just pay attention to severity details to ensure effective prioritization and remediation. They also need to look at the context in which flaws are exploited, both on their own and in conjunction with others.”
While companies remediate thousands of vulnerabilities each month, it takes modern remediation best practices to handle the ongoing wave of new vulnerabilities detected to prevent a growing backlog of vulnerabilities. The increase in open-source vulnerabilities outstrips the estimated 25 percent growth in the amount of open source software available. With applications being the lifeblood of the global economy, regular application security scanning and use of prioritization and remediation tools are essential.