The benefits of open source software are many. IT professionals can use already developed code while also hopefully contributing their work to others, saving time and money through collaboration. It is also widely known that open source software is often more secure than proprietary software.
However, open source software creates security risks that must be addressed by organizations. According to a new study from Endor Labs, 80% of code used in modern applications is code generated through open source packages.
10 Open Source Software Risks
For its study, Endor Labs, which provides a dependency lifecycle management platform, has outlined the top 10 problematic properties of open source software.
“Open source risk management has fallen behind open source usage,” said Endor Labs CEO and co-founder Varun Badhwar. “At their core, most open source security programs focus on license compliance and known vulnerabilities, both of which do not capture the biggest risks to modern software supply chains.”
Calculating and Mitigating Open Source Software Risks
To identify and mitigate risks properly, organizations must evaluate and manage their open source software dependencies.
Direct software dependency is explicitly defined and included in a developer’s code base, offering users more transparency around how components interact. Oftentimes, though, software relies on transitive dependencies, which are not always expressly included in a developer’s code. For example, a library or module might depend on software that depends on separate unlisted software. Identifying all dependencies and analyzing the relationships between dependencies is a crucial step for risk mitigation.
The No. 1 risk, however, is the use of components with known vulnerabilities – e.g., Log4Shell. The financial and reputational damage can be significant, as demonstrated by incidents like the 2017 Equifax data breach, where overall costs were said to exceed $1 billion.
IT pros are most likely to overlook OSS-Risk-10, under/oversized dependency, said Endor Lab’s lead security researcher, Henrik Plate. “That’s because developers commonly have little insight into the size of a dependency, especially if it is indirect, and whether they use a small or significant share of its code,” Plate noted.
Endor Labs does not expect the open source software risks outlined in its list to change significantly anytime soon. However, the threat landscape evolves quickly, as attackers devise new techniques to subvert the security of software supply chains. IT pros should expect new countermeasures as risks emerge, as well as advancements in the regulatory environment for software and service providers.
