Open Source software is supposed to be ‘more secure’ because there are multiple eyes on the code. This study paints an alternative version of reality…:
[…] Among the most noteworthy findings of the study, which relied on data from 2,694 vulnerabilities in 54 open source projects, included the 130% rise in the number of recorded CVEs in 2019. “This increase does not appear to be a flash in the pan as the discovery of new CVEs also remains at historically high levels through the first three months of 2020,” the researchers warned, adding that it is therefore becoming more important to manage one’s attack surface.
The researchers also noted widespread problems in NVD disclosure latency, meaning that for security vulnerabilities to be added to the National Vulnerability Database, the process can take a very long time.
While the researchers noted the average time as being 54 days, the longest observed lag was as long as 1,817 days—nearly five years. “This latency creates a dangerous lack of visibility for organizations who rely on the NVD as their main source of CVE data and context information,” the researchers cautioned.