Developer mistakes and indirect dependencies are the two main sources of vulnerabilities in open source software projects, which together are expected to cause the majority of security alerts in the next year, according to GitHub’s annual Octoverse report, published today.
Using data collected from its own platform, GitHub found the vast majority of projects used open source software, from a low of 65% for Java applications to a high of 94% for JavaScript applications. On average, a vulnerability goes undiscovered for 218 weeks, or more than four years, while it takes just over a month to fix the average vulnerability.
Developers must anticipate the need to fix issues quickly and improve open source security, rather than finding ways to reduce reliance on open source, says Maya Kaczorowski, senior director of product management for GitHub.
“Rather than…