While open source software is the bedrock of modern software development, it is also the weakest link in the software supply chain, according to a report by Endor Labs. Known vulnerabilities, compromise of legitimate package, and name confusion attacks are expected to be among the top ten open source software risks in 2023, according to a report by Endor Labs.The other major open source software risks, according to the report, include unmaintained software, outdated software, untracked dependencies, license risk, immature software, unapproved changes, and under/oversized dependency.Almost 80% of code in modern applications is code that relies on open source packages. While open source software is the bedrock of modern software development, it is also the weakest link in the software supply chain, Endor Labs said in its report. Since open source software comes as-is, without warranties of any kind, any risk of using it is solely on the users. This makes selection, security, and maintenance of these open source dependencies crucial steps towards software supply chain security, the report said. The Endor Labs report covers both operational and security issues associated with open source components that can lead to compromise of systems, enable data breaches, undermine compliance, and hamper availability. The report features contributions from 20 industry experts, including CISOs from HashiCorp, Adobe, Palo Alto Networks, and Discord. Top three open source security risksKnown vulnerability, according to the report, is the top risk associated with open source software. This risk occurs when a component version contains vulnerable code, accidentally introduced by its developers. If a known vulnerability is exploited by a threat actor, it could compromise the confidentiality, integrity or availability of the respective system or its data, the Endor Labs report said. CVE-2017-5638 in Apache Struts that caused the Equifax data breach, and CVE-2021-44228 in Apache Log4j also known as Log4Shell are examples of known vulnerabilities. To avoid the risk of known vulnerabilities, Endor Labs suggests that regular scan of open source software should be conducted and organizations should prioritize findings to optimize resource allocation. Compromise of legitimate package is the second biggest risk that open source software contain. Attackers may compromise resources that are part of an existing legitimate project or of the distribution infrastructure to inject malicious code into a component. For example, hijacking the accounts of legitimate project maintainers or exploiting vulnerabilities in package repositories. The SolarWinds cyberattack was a result of a compromise of a legitimate package. The third biggest open source software risk is name confusion attacks, in which an attacker creates components whose names resemble names of legitimate open source or system components (typosquatting), suggest trustworthy authors (brandjacking) or play with common naming patterns in different languages or ecosystems. To avoid this risk, organizations need to check code characteristics both before and after installation hooks, check the project characteristics such as source code repository, maintainer accounts, release frequency, number of downstream users, etc, the report said. An example of this risk is the Colourama attack, which was a typosquatting attack on the legitimate python package called “Colorama” that redirected Bitcoin transfers to an attacker-controlled wallet.Top three operational risksAlong with the top security risks that the open source software contain, the Endor Labs report also analyzed the top operational risks that they can pose. Unmaintained software or when a component or component version is not actively developed anymore leading to patches for functional and security bugs not being available is the top operational risk that open source software pose, according to the report. In this case, the patch development will have to be done by downstream developers, resulting in increased efforts and longer resolution times. During that time, the system remains exposed. Outdated software — not to be confused with unmaintained software — is another big risk for open source software. This refers to a project that may be using an old, outdated version of a component, even though newer versions exist. If the version of a component used is far behind the latest releases of a dependency, it can make it difficult to perform timely updates in emergency situations. Older version of a component may also not receive the same level of security assessment as recent versions. “If a new version is syntactically or semantically incompatible with the current version in use, application developers may require significant update or migration efforts to resolve the incompatibility,” the report said. The third biggest operational risk with open source software is untracked dependencies. This occurs when the project developers are not aware of a dependency on a component at all, either because it is not part of an upstream component’s software bill of material, or because software component analysis (SCA) tools do not detect it, or because the dependency is not established using a package manager.Developers must evaluate and compare SCA tools for their capability to produce accurate bills of materials, the report said. Risks associated with open source software increasingAs the use of open source is increasing over the years, the risk it poses is also being highlighted by other cybersecurity firms. At least one known open source vulnerability was detected in 84% of all commercial and proprietary code bases examined by researchers at application security company Synopsys. In addition, 48% of all code bases analyzed by Synopsys researchers contained high-risk vulnerabilities, which are those that have been actively exploited, already have documented proof-of-concept exploits, or are classified as remote code execution vulnerabilities. Related content feature What is IAM? Identity and access management explained IAM is a set of processes, policies, and tools for controlling user access to critical information within an organization. By David Strom May 07, 2024 12 mins Identity Management Solutions IT Leadership Security news Most interesting products to see at RSAC 2024 Tools, platforms, and services that the CSO team recommends 2024 RSA Conference attendees check out. By CSO Staff May 07, 2024 12 mins RSA Conference Security news Google launches Google Threat Intelligence at RSA Conference The new addition to Google Cloud Security is designed to give security teams information to inform approaches to protecting against external threats, managing attack surfaces, and mitigating digital risks. By Sascha Brodsky May 06, 2024 4 mins Google Cloud Functions Cloud Security Security Software brandpost Sponsored by Elastic Search + RAG: The 1-2 punch transforming the modern SOC with AI-driven security analytics AI is modernizing how SOCs function, triaging countless alerts down to a handful of attacks that matter most. By Mike Nichols, Product for Security at Elastic May 06, 2024 3 mins Artificial Intelligence PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe