Open source 'a threat to software supply chains' - report

A new study shows that outdated and vulnerable open-source code unwittingly used by IT chiefs is helping cybercriminals target supply chains

New research shows that open-source code is an increasing problem in the security of the software supply chain, and that most software “ages like milk, not wine”.

The study was commissioned by Endor Labs, a specialist in securing the software supply chain, and it probes the role open source-based software development has on software supply chain security.

The report says that open-source code has been “a major benefit” to cybercriminals in recent supply chain attacks. It adds “that risk indicators covered in widely used initiatives typically can’t flag such attacks”.

Open-source packages can cause cyber vulnerabilities 

Among other headline findings are:

  • A total of 95% of open source vulnerabilities are found in open-source code packages that are not selected by software developers, but are indirectly pulled into projects, making it difficult for organisations to assess the true impact of vulnerabilities.
  • That software ‘ages like milk, not wine, with 50% of the most popular open-source software packages not updated in 2022. Nearly a third (30%) had their last release pre-2018.
  • New does not mean secure. When upgrading to the latest version of a software code package, there’s a 32% chance it will have known security vulnerabilities.

Varun Badhwar, Co-founder and CEO of Endor Labs, says that although open-source software is “the backbone of organisations’ critical infrastructure, 80% of the code in modern applications comes from existing operating systems.

“This is a huge arena,” he says. “And yet it’s been largely overlooked. This report makes clear the depth of the problems in this area, and the need for substantive solutions. If the reuse of open-source code is to live up to its potential, then security needs to move to the top of the priority list.”  

Supply chains open to back door attacks

The report reinforces the message that supply chains are vulnerable to so-called 'back-door attacks', where cybercriminals target vendor companies as away to work their way up to bigger organisations.

A recent Accenture study showed that, in the US, 43% of cyberattacks were aimed at small to medium-sized enterprises (SMEs) but that just 14% of such companies are adequately protected. Those are scary numbers, and it’s a similar story on both sides of the Atlantic.

The British government, meanwhile, reports that almost a third of UK firms with digital supply chains are vulnerable to cyberattacks, with many lacking even basic protective measures. It, too, says most are SMEs – by far the most numerous type of company.

In a cyber-vulnerable company, supply vendors are too often the entry point for malware, ransomware or denial of service attacks, which then work their way upstream or downstream to the organisation itself.

Share

Featured Articles

Top 5PL logistics providers

The 5PL model gained traction during the pandemic, as ecommerce businesses new to international shipping found themselves under increasing pressure

Renewable energy facing supply chain maelstrom, report says

WTW report says progress on renewable energy is being imperilled by supply chain problems, including war, inflation and availability

The four principles of 'breakthrough' supply chain thinking

Breakthrough Supply Chains is a book that seeks to help businesses leaders rethink supply chains to increase both profits and global benefits

Consulting firms demystify digital transformation dark arts

Digital Supply Chain

Google a cautionary tale for Supply chain AI laggards

Procurement

New EC regulation on clean Euro rail energy welcomed

Logistics