More than 56 million developers have been busy building projects on the now Microsoft-owned platform GitHub - and those developers have added more than 1.9 billion contributions, as well as more than 60 million repositories.
GitHub's 2020 State of the Octoverse report crunched the numbers to find out how the year has unfolded for its massive global community.
“We see increased development work—both time spent and amount of work—across all time zones we investigate. It's unclear if developers are taking advantage of flexible work schedules, or stretching the same amount of work over a longer period of time. However, in some cases work volume increases. Developers may be taking advantage of flexible schedules to manage their time and energy, which contributes to this sustained productivity,” GitHub says.
However, most security vulnerabilities are not deliberately malicious but are instead mistakes. GitHub says that of the CVEs that GitHub flags, 83% are due to mistakes - not malicious intent.
Further, 17% of vulnerabilities were classed as malicious, yet they triggered a mere 0.2% of all alerts. These malicious vulnerabilities include bugdoors and backdoors, which can often be obscured from developers.
GitHub's Securing The World's Software sub-report states, “The last line of defence against these backdoor attempts is careful peer review in the development pipeline, especially of changes from new committers. Many mature projects have this careful peer review in place. Attackers are aware of that, so they often attempt to subvert the software outside of version control at its distribution points or by tricking people into grabbing malicious versions of the code through, for example, typosquatting a package name.
In some projects, security vulnerabilities can remain undetected for four years, however once handed over to the package maintainer and security community, a patch or fix can be created in just over four weeks.
The report suggests that developers:
- Regularly check dependencies for vulnerabilities
- Fix vulnerabilities quickly and maintain a current code base.
- Use automation to remediate vulnerabilities and protect security
- Participate in the community if developers have a security team.