Vulnerability Detection in Open Source Software: An Introduction

This paper is an introductory discussion on the cause of open source software vulnerabilities, their importance in the cybersecurity ecosystem, and a selection of detection methods. A recent application security report showed 44% of applications contain critical vulnerabilities in an open source component, a concerning proportion. Most companies do not have a reliable way of being directly and promptly notified when zero-day vulnerabilities are found and then when patches are made available. This means attack vectors in open source exist longer than necessary. Conventional approaches to vulnerability detection are outlined alongside some newer research trends. A conclusion is made that it may not be possible to entirely replace expert human inspection of open source software, although it can be effectively augmented with techniques such as machine learning, IDE plug-ins and repository linking to make implementation and review less time intensive. Underpinning any technological advances should be better knowledge at the human level. Development teams need trained, coached and improved so they can implement open source more securely, know what vulnerabilities to look for and how to handle them. It is the use of this blended approach to detection which is key.