OpenJS Foundation reports poor security practices across industries in North America, UK and Europe
SAN FRANCISCO – November 1, 2023 – Global web infrastructure is in a precarious position based on new research by the OpenJS Foundation thanks to an OpenSSF grant.
The OpenJS Foundation is announcing the results of an end-user audit based on an IDC survey that shows three-quarters of a billion websites are running out of date software, with most capturing personal and financial information. Over one-third of respondents confirm having experienced a security incident in the last 24 months.
The OpenJS Foundation analyzed the IDC survey results of this end-user audit and other data points and estimated that of the 1.9 billion websites worldwide, almost 90% use the open source software jQuery, and one-third of those, over three-quarters of a billion sites, require an upgrade. Due to the size of the problem, the OpenJS Foundation suggests that a behavioral change to web security is required.
- 89% of random survey respondents reported knowing the use of jQuery on their internet-facing websites
- 80% of these organizations capture vital information such as personal identifiable information (PII), including payment information (52%) location (64%), contact information (80%)
- Websites are essential or high priority for 85% of respondents
- The business damage from security incidents is severe with 28% reporting loss of customers and 29% reporting loss of revenue. Additionally, 39% reported regulatory violations, and 45% reported brand damage
- Better security is the #1 motivation for upgrading for 48% of respondents
The end-user audit conducted by IDC surveyed more than 500 people in 23 industries across North America, UK and Europe, representing small, medium and large organizations.
It is the responsibility of business owners and developers to make their websites secure. Getting actionable information is a key part of the process. Keeping packages up to date is an important way to improve security. Any one package may not be a site’s main security issue and packages can be abused, or used in ways that open up security problems.
Al Gillen, group vice president, Software Development and Open Source IDC, IDC, in a blog post published today on the OpenJS Foundation blog, states: “The take-away from this study is simple: jQuery users have access to a robust, community-supported technology that is free from subscription costs for them to acquire or use, and this project is seeing continual investment and enhancement. Users are already enjoying considerable benefits from the technology, but if you are not using current versions, you owe it to your business to move forward to a supported version to maximize the benefit and minimize any potential risks.” Full IDC blog post is available here.
“There’s a big problem when three-quarters of a billion websites need an upgrade of just one open source project. It leads us to believe companies are using more outdated and unsupported technologies and potentially putting consumers at risk,” said Robin Bender Ginn, executive director of OpenJS Foundation. “To solve a problem of this scale, we need to start thinking about regular assessments of website technology, similar to how people visit their doctor every year for a physical medical checkup.”
As a result of the study, the OpenJS Foundation is developing a free Healthy Web checkup tool. It will be provided widely to businesses and organizations around the world. The OpenJS Foundation is also seeking to partner with governments, businesses, and consumer advocacy organizations to better the health of the global web economy.
jQuery made web page development approachable to everyone, but has led to millions of websites remaining on older, unsupported versions. Even as the jQuery Team releases security fixes, these sites often don’t update and remain vulnerable.
The IDC survey, the Healthy Web checkup tool, and many security improvements were funded by an Alpha-Omega grant. As an associated project of the Open Source Security Foundation, Alpha-Omega’s mission is to catalyze sustained security improvements to the most critical open source software and ecosystems.
“Many of our engagements start with an audit and then fund security fixes. This situation called for a different approach and we were keen to help,” said Bob Callaway, co-lead of the Alpha-Omega project and engineering manager of Google’s Open Source Security Team. “The Healthy Web checkup tool will be an innovative solution to a thorny problem,” he added. “This problem is not unique to jQuery. We’re hopeful this work can be extended to help everyone understand and mitigate the global risk.”
“Secure open source software is a public good,” said Omkhar Arasaratnam, general manager of the Open Source Software Foundation (OpenSSF). “We applaud the OpenJS Foundation for making the web more secure through the OpenJS Healthy Web checkup.”
The OpenJS Healthy Web checkup tool takes 5 seconds and currently only checks the version of jQuery. It is a great indicator of whether or not organizations have implemented security practices because of how ubiquitous it is and how easy it is to test.
“The first step to improve the health of your website is to find out if your technology stack needs to be upgraded,” said Michał Gołębiowski-Owczarek, jQuery Core Team member and Senior Staff Software Engineer at Sumo Logic. “We’re constantly improving the security and performance of jQuery and ask people to check the versions of software used on their sites either with the upcoming Healthy Web checkup tool from the OpenJS Foundation or their own assessment.”
“It is everyone’s responsibility to make their own websites secure. That’s not always a simple task, but ensuring packages are up to date can be a good place to start,” said Timmy Willison, Team Lead for jQuery Core and Lead Front-End Engineer at worbler.ai. “The jQuery Team is pleased to work with the OpenJS Foundation as a part of this Healthy Web checkup campaign. Please join with us and the OpenJS Foundation to help improve the health of the consumer web.”
“Consumer-facing software requires regular maintenance. Checking for updates from packages like jQuery and keeping your website secure is essential. The open web plays such an important role in modern life,” said Timo Tijhof, Infrastructure Lead for jQuery and Principal Engineer at the Wikimedia Foundation. “Like going to a doctor for regular checkups, auditing your website regularly is key to good web health. Please do your part!”
The OpenJS Healthy Web checkup tool is currently in beta and limited for use by technical evaluators and OpenJS members. General availability is planned for early 2024. OpenJS Foundation is actively seeking partner organizations to join in this important effort.
The new IDC study is freely available: The Benefit of Modernizing jQuery Deployments
To learn more about how you could be a part of the OpenJS Foundation, click here.
About OpenJS Foundation
Alpha-Omega is an associated project of the OpenSSF, established in February 2022, funded by Microsoft, Google, and Amazon, and with a mission to protect society by catalyzing sustainable security improvements to the most critical open source software projects and ecosystems, trying to build a world where critical open source projects are secure and that security vulnerabilities are found and fixed quickly. For more information please visit the Alpha-Omega website.
About the OpenSSF
The Open Source Security Foundation (OpenSSF) is a cross-industry initiative by the Linux Foundation that brings together the industry’s most important open source security initiatives and the individuals and companies that support them. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all. For more information, please visit us at openssf.org.
About Linux Foundation
Founded in 2000, the Linux Foundation is supported by more than 1000 members and is the world’s leading home for collaboration on open source software, open standards, and open hardware. Linux Foundation projects like Linux, Kubernetes, Node.js and more are considered critical to the development of the world’s most important infrastructure. Its development methodology leverages established best practices and addresses the needs of contributors, users and solution providers to create sustainable models for open collaboration. For more information, please visit their website.
This post was originally published on PR Newswire.