Open source 'a threat to software supply chains' - report

A new study shows that outdated and vulnerable open-source code unwittingly used by IT chiefs is helping cybercriminals target supply chains

New research shows that open-source code is an increasing problem in the security of the software supply chain, and that most software “ages like milk, not wine”.

The study was commissioned by Endor Labs, a specialist in securing the software supply chain, and it probes the role open source-based software development has on software supply chain security.

The report says that open-source code has been “a major benefit” to cybercriminals in recent supply chain attacks. It adds “that risk indicators covered in widely used initiatives typically can’t flag such attacks”.

Open-source packages can cause cyber vulnerabilities 

Among other headline findings are:

  • A total of 95% of open source vulnerabilities are found in open-source code packages that are not selected by software developers, but are indirectly pulled into projects, making it difficult for organisations to assess the true impact of vulnerabilities.
  • That software ‘ages like milk, not wine, with 50% of the most popular open-source software packages not updated in 2022. Nearly a third (30%) had their last release pre-2018.
  • New does not mean secure. When upgrading to the latest version of a software code package, there’s a 32% chance it will have known security vulnerabilities.

Varun Badhwar, Co-founder and CEO of Endor Labs, says that although open-source software is “the backbone of organisations’ critical infrastructure, 80% of the code in modern applications comes from existing operating systems.

“This is a huge arena,” he says. “And yet it’s been largely overlooked. This report makes clear the depth of the problems in this area, and the need for substantive solutions. If the reuse of open-source code is to live up to its potential, then security needs to move to the top of the priority list.”  

Supply chains open to back door attacks

The report reinforces the message that supply chains are vulnerable to so-called 'back-door attacks', where cybercriminals target vendor companies as away to work their way up to bigger organisations.

A recent Accenture study showed that, in the US, 43% of cyberattacks were aimed at small to medium-sized enterprises (SMEs) but that just 14% of such companies are adequately protected. Those are scary numbers, and it’s a similar story on both sides of the Atlantic.

The British government, meanwhile, reports that almost a third of UK firms with digital supply chains are vulnerable to cyberattacks, with many lacking even basic protective measures. It, too, says most are SMEs – by far the most numerous type of company.

In a cyber-vulnerable company, supply vendors are too often the entry point for malware, ransomware or denial of service attacks, which then work their way upstream or downstream to the organisation itself.


Featured Articles

Data, visibility and the path to a resilient supply chain

The Beacon platform helps break down data silos, brings end-to-end supply chain visibility and delivers the resilience needed in an uncertain world

Global logistics news roundup: XPO, Uber Freight, Heineken

Uber Freight sets freight carbon reduction goals; XPO launches new multimodal Euro route; Heineken opens huge German distribution centre

Supply chain tech investment in Q3 fell away, says PitchBook

Report from investment analyst PitchBook shows that tough market has spooked 'supply chain tech investors who were writing the large checks'

Supply chain 'forever about cost, quality and service'


Huge US ports investment 'will benefit suppliers' - e2open


SAP seals Mercedes F1 Team supply chain partnership

Digital Supply Chain