Top 10 Open-Source Software risks identified

As part of an effort to better educate cybersecurity teams about issues that can lead to software supply chains being compromised Endor Labs, a provider of platforms for managing open-source software, has published a report identifying the top 10 open-source software risks of 2023. The primary goal is to create greater awareness of application security issues that arise from the way open-source software is developed. The list includes:

Known Vulnerabilities: A version of a software component may contain vulnerable code that is accidentally introduced by its developers.  When vulnerability details are publicly disclosed, there may not be a patch readily available.

Unmaintained Software: A software component may not be actively developed anymore, resulting in patches for functional and non-functional bugs not being provided in a timely manner or at all.

Name Confusion Attacks: Attackers may create components whose name resembles the names of legitimate open-source or system components, also known as typo-squatting. They might also attempt to mimic trustworthy authors (brand-jacking) or play with common naming patterns in different languages or ecosystems (combo-squatting).

Compromise of Legitimate Package: Attackers may compromise resources that are part of an existing legitimate project or associated distribution infrastructure to inject malicious code into software components.

Outdated Software: A project may use an old, outdated version of a software component even though a newer, more secure version exists.

Untracked Dependencies: Developers may not be aware of a dependency on a component because it is part of another upstream module they employed.

License Risks: A software component or project may not have a license at all, or it may have a license that is incompatible with the intended use or whose requirements are not or cannot be met.

Immature Software: An open-source project may not apply development best practices, such as having a standard versioning scheme or lacking a regression test suite, review guidelines, or documentation.

Unapproved Changes: A software component may change without developers being able to notice, review or approve such changes because the download link points to an unversioned resource, a maliciously modified versioned resource, or due to an insecure data transfer.

Unknown Origin: Details about the source code, build process, or distribution process of a software component may be unknown or non-verifiable.

Organizations need more visibility in the potential operational risks that come with increased reliance on open-source software as more organizations focus on securing their software supply chains in the wake of a series of high-profile breaches. That doesn’t mean organizations should use less open-source software, but there are cybersecurity issues that many developers may not always appreciate. For example, a recent analysis of nearly 2,000 software packages published by Endor Labs found 95% of all application vulnerabilities can be traced back to a transitive dependency created when a developer employed an open-source component.

Regardless of the root cause of any cybersecurity risk, it’s the responsibility of cybersecurity teams to mitigate them. The issue is the historic divide that exists between cybersecurity teams and application developers conspiring to make assessing those risks a major challenge. The difficulty is it’s not possible to assess those risks without first knowing what cybersecurity teams need to be focused on.