GitHub's report on open-source security
([Security] Dec 4, 2020 15:40 UTC (Fri) (corbet))
- Reference: 0000838965
- News link: https://lwn.net/Articles/838965
- Source link:
GitHub has released its [1]"2020 State of the Octoverse" report ; one piece of that is [2]a report on security [PDF] . There are a number of interesting conclusions there, including that a surprising number of security vulnerabilities are planted deliberately. " Analysis on a random sample of 521 advisories from across our six ecosystems finds that 17% of the advisories are related to explicitly malicious behavior such as backdoor attempts. Of those 17%, the vast majority come from the npm ecosystem. While 17% of malicious attacks will steal the spotlight in security circles, vulnerabilities introduced by mistake can be just as disruptive and are much more likely to impact popular projects. Out of all the alerts GitHub sent developers notifying them of vulnerabilities in their dependencies, only 0.2% were related to explicitly malicious activity. That is, most vulnerabilities were simply those caused by mistakes. "
[1] https://octoverse.github.com/
[2] https://octoverse.github.com/static/2020-security-report.pdf
[1] https://octoverse.github.com/
[2] https://octoverse.github.com/static/2020-security-report.pdf