The Package Popularity Trap

Recent analysis conducted by our team at Slim has revealed an intriguing paradox: the most widely utilized and popular packages also happen to harbor the greatest number of CVEs, which in turn signifies a greater security threat.

However, this trend can, perhaps, be attributed to a simple byproduct of heightened scrutiny: As the spotlight shines brighter, so too does our awareness of shortcomings and imperfections. One mustn't overlook the long-tail of packages, as they are not necessarily vulnerability-free; rather, our limitations in terms of human capacity prevent us from uncovering all potential threats without an army of security researchers at our disposal. Recent developments in Generative AI will certainly challenge this dynamic.

Here, I share our most recent deep-dive into the world of container-based CVEs, first released at RSA Conference 2023 earlier this week, and then explore how advancements in Generative AI might impact the way we manage and remediate vulnerabilities in the future.

Our findings

Our research team has analyzed more than three million individual container IDs, utilizing SBOM and vulnerability scanning tools to generate unique profiles and gain insights into the current state of container security. Our analysis covered more than 54,000 packages (purls) containing 7.5K distinct CVEs.

Our findings highlight the massive attack surface that developers and DevSecOps teams need to deal with on a daily basis, and the huge level of complexity that organizations face in implementing vulnerability remediation programs.

Popularity Drives Vulnerability Discovery

A small number of packages account for a large proportion of the CVEs that DevSecOps teams encounter daily. The top one-percent of packages by popularity (i.e., the frequency with which they appear in container images) are responsible for 25-percent of the overall vulnerability count. This highlights the importance of prioritizing and addressing the most critical vulnerabilities in widely used packages.

The data shows that package popularity influences the likelihood of being impacted by CVEs. Packages in five popular containers have, on average, eight CVEs, with 17-percent being impacted. As the number of containers sharing a package increases, so does likelihood the package has known CVEs. For example, packages shared by 20 or more containers have 15 CVEs on average with 25-percent being impacted. Those shared by 30 or more containers have 26 CVEs on average, with 36-percent being impacted.

However, this finding may make the problem of vulnerability sound simpler than it really is.

The potential for a false sense of security

The uncharted territory in the container landscape related to CVEs is huge. These results may be more emblematic of the focus of security researchers — who tend to spend time on high-profile packages — rather than actual security.

We found 86-percent of packages report zero known vulnerabilities. But organizations that make the assumption those are OK to ship may be walking into a trap. The simple fact that these packages have not yet been as tempting of an attack target as the more widely-deployed ones does not imply security, any more than a decade of leaving a door unlocked without incident means that it will still be safe to do so tonight.

This is an area where Generative AI is sure to change the game in the long run, but in the short term, we are sure to see more zero-day incidents. Suddenly, aiming your skills and tools at narrowly-deployed packages can be profitable, even if only one or two images in the whole world use them. If nothing else, such exploits can be stockpiled in reserve, waiting for a worthwhile target to adopt and deploy them. (See Stuxnet's use of four zero-day vulnerabilities, for example.)

CVE Detection Has Gotten Faster — But Is About To Be Disrupted

We now detect CVEs at twice the rate than they were five years ago. This increased detection rate is likely due to more security researchers, enhanced focus on CVEs and containers, improved scanning tools, increased awareness, and a more significant number of software packages being scrutinized.

This increase is still on human scale and relies on several manual processes and human-generated code. As Generative AI begins to both write code itself and be used on both sides of the cybersecurity landscape, we'll begin to see (one hopes) fewer exploits created by human error and faster discovery of exploits through automated processes.

Conclusion

These findings warrant more research and discussion on the need to better understand and secure our containers, lest development teams get lost in a sea of new vulnerabilities.

The faster detection rate of CVEs, the prevalence of vulnerabilities in popular packages, and the dominance of the top 1-percent of packages in vulnerability counts emphasize the importance of robust container security practices.

DevSecOps teams must remain vigilant and proactive in their efforts to secure containers, ensuring that applications are built on secure foundations and that dependencies are regularly updated to minimize the risks associated with known vulnerabilities.

Join me and other industry leaders at Open Source Summit North America to explore this topic in more depth.