Open source 'a threat to software supply chains' - report

New research shows that open-source code is an increasing problem in the security of the software supply chain, and that most software “ages like milk, not wine”.

The study was commissioned by Endor Labs, a specialist in securing the software supply chain, and it probes the role open source-based software development has on software supply chain security.

The report says that open-source code has been “a major benefit” to cybercriminals in recent supply chain attacks. It adds “that risk indicators covered in widely used initiatives typically can’t flag such attacks”.

Open-source packages can cause cyber vulnerabilities 

Among other headline findings are:

• A total of 95% of open source vulnerabilities are found in open-source code packages that are not selected by software developers, but are indirectly pulled into projects, making it difficult for organisations to assess the true impact of vulnerabilities.
• That software ‘ages like milk, not wine, with 50% of the most popular open-source software packages not updated in 2022. Nearly a third (30%) had their last release pre-2018.
• New does not mean secure. When upgrading to the latest version of a software code package, there’s a 32% chance it will have known security vulnerabilities.

Varun Badhwar, Co-founder and CEO of Endor Labs, says that although open-source software is “the backbone of organisations’ critical infrastructure, 80% of the code in modern applications comes from existing operating systems.

“This is a huge arena,” he says. “And yet it’s been largely overlooked. This report makes clear the depth of the problems in this area, and the need for substantive solutions. If the reuse of open-source code is to live up to its potential, then security needs to move to the top of the priority list.”  

Supply chains open to back door attacks

The report reinforces the message that supply chains are vulnerable to so-called 'back-door attacks', where cybercriminals target vendor companies as away to work their way up to bigger organisations.

A recent Accenture study showed that, in the US, 43% of cyberattacks were aimed at small to medium-sized enterprises (SMEs) but that just 14% of such companies are adequately protected. Those are scary numbers, and it’s a similar story on both sides of the Atlantic.

The British government, meanwhile, reports that almost a third of UK firms with digital supply chains are vulnerable to cyberattacks, with many lacking even basic protective measures. It, too, says most are SMEs – by far the most numerous type of company.

In a cyber-vulnerable company, supply vendors are too often the entry point for malware, ransomware or denial of service attacks, which then work their way upstream or downstream to the organisation itself.