Open-source security really shouldn't be this leaky

A hand writing the words Open Source
(Image credit: Shutterstock)

As businesses become increasingly reliant on free and open source (FOSS) software, unnecessary risks to their security posture are being taken. 

A report from software supply chain security firm Sonatype paints a dire picture of the types of open-source software that businesses are relying on, perhaps as a means to cut software costs.

Its State of the Software Supply Chain Report found developers download 1.2 billion vulnerable dependencies every month, and of that number, 96% have had a non-vulnerable alternative.

A surge in OSS supply chain attacks

Attacking open-source repositories that are later downloaded and integrated into corporate software is a clear example of a supply chain cyberattack. 

With some 1,500 dependency changes per application every year, maintaining open-source ecosystems puts a great deal of pressure on developers, and mistakes are always going to be made.

Perhaps as a result, Sonatype is reporting that this type of cyberactivity has seen a massive surge, increasing by 633% year-on-year. 

However, it believes there's a solution: primarily, minimizing dependencies and speeding up software updates on endpoints. It also recommends raising awareness of vulnerable FOSS dependencies among engineering professionals.

Sonatype found that over two-thirds (68%) were confident their apps weren’t using vulnerable libraries, despite that fact that the same percentage of enterprise apps - 68% - were found to contain known vulnerabilities in their open-source software components. 

What’s more, IT managers were over twice as likely to believe that their firms address software issues regularly during the development stage than their IT security peers. 

For Sonatype, businesses need to simplify and optimize the software development process with smarter tools and more visibility, and better automation.

Supply chain attacks have been some of the most devastating cyber-incidents ever in recent years, including incidents based on the log4j vulnerability, and the SolarWinds compromise. Even today, cybercriminals are compromising organizations of all shapes and sizes using the log4j flaw. 

Via: VentureBeat

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.