目录
1、文案来源:Synopsys《2021开源安全和风险分析报告》
2、文案来源:Sonatype《2021年软件供应链状况报告》
3、文案来源:WhiteSource《2021年软件供应链状况报告》
4、文案来源:anchore《2022年软件供应链安全报告》
5、文案来源:国家计算机网络应急技术处理协调中心《2021 年开源软件供应链安全风险研究报告》
满满干货的过程文档哦,快快收藏~
1、文案来源:Synopsys《2021开源安全和风险分析报告》
数据来源:CyRC团队共审查了17个行业中超过 1, 500个商业代码库的匿名审计结果。
提炼文案:
- 有84%代码库包含至少1个公开开源漏洞--比2019年的75%增加了9%
- 有60%代码库包含高风险开源漏洞--比2019年的49%大幅增加了11%
- 每个代码库平均有158个漏洞
- 有65%的代码库中包含存在许可证冲突的开源代码
- 有91%的被审代码库中含有过去两年未曾更新的开源依赖项;85%的代码库含有至少四年未曾更新的开源依赖项
- 75%的代码由开源代码组成
- 金融行业、能源行业、医疗行业、物联网行业、营销科技行业、电子商务、车联网行业、物流行业中超过60%的企业其代码库中都包含开源漏洞
文案原文:
在BlackDuck审计服务团队2020年审计的1500多个代码库中,有84%代码库包含至少一个公开开源漏洞——比2019年的75%增加了9%,成为自2017年以来的第二大增幅。同样,包含高风险开源漏洞的代码库百分比在2020年增长至60%,比2019年的49%大幅增加了11%。“高风险”表示该漏洞已被主动利用,且有已记录的概念验证漏洞利用程序,或已被归类为远程代码执行漏洞。2020年的审计中再次发现了2019年在代码库中发现的几个十大开源漏洞,并且所有这些漏洞的百分比均有显著增加。
100%的被审营销科技类公司—包括潜在客户生成、CRM和社交媒体—的代码库中都包含开源代码。95%的营销科技代码库中包含开源漏洞。71%的被审零售和电子商务代码库包含漏洞。超过60%的金融服务/金融科技和医疗保健行业代码库中包含开源漏洞。
BlackDuck审计服务团队发现,2020年的被审代码库中有65%包含存在许可证冲突的开源代码,比2019年略有减少。纵观存在许可证冲突的代码库,近四分之三与某个版本的“GNU通用公共许可证”存在冲突。26%的被审代码库使用了没有许可证或定制许可证的开源代码。使用定制开源代码许可证的代码库是否存在可能的IP和其他法律问题,需要评估后才能确定。
开源的可持续性在BlackDuck审计服务团队2020年审计的1,500多个代码库中,居然有91%使用了在过去两年中没有发生任何开发活动的开源依赖项,这意味着91%的被审代码库中包含在过去两年中没有进行过功能升级、代码优化和任何安全问题修复的依赖项。Black Duck审计服务团队2020年审计的代码库中,85% 的代码库含有至少四年未曾更新的开源依赖项。也就是 说,代码库使用的开源库并非最新版本,甚至经常是很 旧的版本。如前所述,开发团队显然难以维护开源依赖 项的时新性。
2、文案来源:Sonatype《2021年软件供应链状况报告》
提炼文案:
- 四大开源社区,截至2021年7月,共有Java项目431k个; JavaScript项目19k个;Python项目336k个;.NET项目338k个
- 开源供应正在加速,全球开源供应的年环比增长20%
- 开源需求呈爆炸式增长,组件下载量同比增长73%
- 供应链攻击呈指数级增长,2021世界上软件供应链攻击增加了650%
- 开源漏洞在流行项目中最为普遍,29%的流行项目至少包含一个已知的安全漏洞
文案原文:
Open source supply is acceerating. The top four open source ecosystems released a combined 6,302,733 new versions and introduced 723,570 brand new projects. Collectively, these communities now contain a combined 37,451,682 different versions of components, representing a 20% year over year (YoY) growth in global supply of open source.
Open source demand is exploding. In 2021 developers around the world will request more than 2.2 trillion open source packages from these same four ecosystems, representing a 73% YoY growth in developer downloads of open source components. Despite the growing volume of downloads, the percentage of available components utilized in production applications is shockingly low.
Supply chain attacks are increasing exponentially. In 2021 the world witnessed a 650% increase in software supply chain attacks, aimed at exploiting weaknesses in upstream open source ecosystems. For perspective, the same statistic was 430% in the 2020 version of the report.
Open source vulnerabilities are most pervasive in popular projects. 29% of popular projects contain at least one known security vulnerability. Conversely, only 6.5% of non-popular projects do so. This dichotomy suggests that the vast majority of security research (blackhat and whitehat) is focused on finding and reporting vulnerabilities in projects that are most commonly utilized.
3、文案来源:WhiteSource《2021年软件供应链状况报告》
数据来源:WhiteSource开源漏洞数据库
提炼文案:
- 2020年公开发布的开源软件漏洞数量为9658,增幅超过50%
- 超过50%的新开源漏洞被认为是高危或以上漏洞
文案原文:
The Number of Open Source Vulnerabilities Continues to Rise. According to the WhiteSource database, aggregated from the NVD, dozens of security advisories, peer-reviewed vulnerability databases, and popular open source issue trackers, the number of published open source software vulnerabilities in 2020 rose once again, by over 50%
Open Source Vulnerabilities in 2020: Severity Breakdown
The fact that over 50% of new open source security vulnerabilities are rated high or critical doesn't help security and development teams that rely on severity scores when considering which issues to address first.
Fixing all issues, or even "only" high and critical issues, is an unrealistic plan for teams that want to keep up with the rapid pace of development.
Organizations need to leverage prioritization and remedian tools that target the vulnerabilities that will most impact their systems and business if they want to manage their security debt wisely.
4、文案来源:anchore《2022年软件供应链安全报告》
数据来源:针对大型企业(员工数在5001-10000的占比为24%;员工数超过1w的占比为32%;)的IT、安全、开发和DevOps 职能部门的428名高管、董事和经理的调查结果。
提炼文案:
- 62%的组织受到至少一次软件供应链攻击的影响
- 54%的受访者认为保护软件供应链是首要或重要的焦点
- 24%的受访者将开源软件容器的安全性列为头号挑战
文案原文:
Supply Chain Attacks Impact 62% of Organizations A combined 62 percent of respondents were impacted by at least one software supply chain attack during 2021, with 6 percent reporting the attacks as having a significant impact and 25 percent indicating a moderate impact.
More than half of respondents (54 percent) indicated that securing the software supply chain is a top or significant focus, while an additional 29 percent report that it is somewhat of a focus. This indicates that recent, high-profile attacks have put software supply chain security on the radar for the vast majority of organizations, while very few (3 percent) indicate that it is not a priority at all.
Open Source is the Top Container Security Challenge Developers incorporate a significant amount of open source software (OSS) in the containerized applications they build. As a result, the Security of OSS containers is ranked as the number one challenge by 24 percent of respondents with almost half (45 percent) ranking it among their top three challenges. Ranked next was Security of the code we write with 18 percent of respondents choosing that as their top container security challenge and Understanding full SBOM with 17 percent.
5、文案来源:国家计算机网络应急技术处理协调中心《2021 年开源软件供应链安全风险研究报告》
数据来源:
①国家信息安全漏洞 CNVD 共享平台(http://www.cnvd.org.cn/)、美国国家漏洞库(https://nvd.nist.go v/)、通用漏洞披露库(https://cve.mitre.org/)等
②CocoaPods4、Composer5、Go 6、Maven7、npm 8、Nuget9、 PyPI10、Rubygems11这 8 个主流的仓库作为研究对象
提炼文案:
- 2020年新增开源漏洞5726个
- 开源软件漏洞由 POC 披露到 NVD 首次公开时间长达 11 年
- 2020年高危及以上漏洞占比为56%;2017年-2020年占比均超 40%
- 2020年开源组件生态中的漏洞数环比增长40%
- 2020年新增漏洞中,高危漏洞占比最高,数量为1826个;超危漏洞逐年递增
6、文案来源:NIST《十年来反复出现的软件弱点》
提炼文案:
- 在2020年,有超过18000个记录在案的软件漏洞支持恶意活动。
小可爱们~多多关注 多多分享多多收藏呦~
223
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
