Users love using software components with known vulns more than ever, GitLab research shows

Users love using software components with known vulns more than ever, GitLab research shows

Over half of projects hosted on included components with “known vulnerabilities”, research by the DevOps vendor has shown.

Using components with known vulnerabilities – unwittingly we have to hope – was the most common security facepalm according to the research, which also found the percentage of projects using components with known vulns had increased by 6 per cent.

The study – which is GitLab’s first comprehensive security trends dig around – pulled together info from SAS, DAST, dependency and container scanning, secret detection and scan results from third party tools.

GitLab said “The issues were identified during the CI/CD process, prior to the applications and containers deploying to production environments.” Which means, hopefully, the project owners nixed the flakey components concerned.

Overall, the survey found that GitLab users had increased vulnerability scanning by 161 per cent, while the total number of vulnerabilities found per month had climbed by 73 per cent.

After flakey components, the next two most common vulns were cross-site scripting, at 21 per cent of projects, and the lack of secret management, at 18 per cent of projects.

Cross-site scripting vulns had increased by 20 per cent over the survey period. The growth in the number of projects with inadequate secret management was 6 per cent.

The biggest increase came in content security protection, which jumped from seventh place to fourth place over the period, with 8 per cent of projects now lacking this form of security.

This represented a leapfrogging over old favourites, cross site request forgery and SQL injection, both of which were still found in 6 per cent of projects.

Of course, there are other vulnerabilities users can fall prey to, but GitLab said it would only be highlighting those affecting 5 per cent or more of the projects hosted on its platform.