The Energy Collective Group
This group brings together the best thinkers on energy and climate. Join us for smart, insightful posts and conversations about where the energy industry is and where it is going.
Shared Link
Open source software security vulnerabilities exist for over four years before detection | ZDNet
This December 2nd report from GitHub contains some insights that should give utility companies good reasons to implement software supply chain risk assessment controls based on industry best practices following the NIST Cybersecurity Framework. Here are a few of the valuable insights available in this report:
- It can take an average of over four years for vulnerabilities in open source software to be spotted
- GitHub tallied over 56 million developers on the platform, with over 60 million new repositories being created -- and over 1.9 billion contributions added -- over the course of the year.
- You would be hard-pressed to find a scenario where your data does not pass through at least one open source component
- Many of the services and technology we all rely on, from banking to healthcare, also rely on open source software. The artifacts of open source code serve as critical infrastructure for much of the global economy, making the security of open source software mission-critical to the world
- GitHub found that 94% of projects now rely on open source components, with close to 700 dependencies on average. Most frequently, open source dependencies are found in JavaScript -- 94% -- as well as Ruby and .NET, at 90%, respectively.
- On average, vulnerabilities can go undetected for over four years in open source projects before disclosure. A fix is then usually available in just over a month,
- According to GitHub, 59% of active repositories on the platform will receive a security alert in the coming year. Over 2020, Ruby and JavaScript have been the most likely to receive an alert.
- The open source community now plays a key role in the development of software, but as with any other industry, vulnerabilities are going to exist
- Using automated alerting and patching tools to secure software quickly means attack surfaces are evolving, making it harder for attackers to exploit."
Energy Central hosted a PowerSession on August 12, 2020 presenting best practices for software supply chain risk assessments for NERC CIP-010-3 software verification controls, which is available on demand here: https://energycentral.com/o/energy-central/demand-energy-central-powersession-series-cybersecurity-us-power-grid-software
Open source software security vulnerabilities exist for over four years before detection | ZDNet
GitHub research suggests there is a need to reduce the time between bug detection and fixes.
Discussions
No discussions yet. Start a discussion below.
- What is the difference between FCEM and AOCE
- Highly Recommended Reading - Capacity Accreditation Reforms
- CISA’s public-private cyber collaborative to focus on energy, water
- Groundhog Day, SEC Style: Proposed Rule On Cybersecurity Risk Governance Has All The Pain Of SOX With Fewer Financial Penalties
Get Published - Build a Following
The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.
If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.
Your access to Member Features is limited.
Sign in to Participate