Open source 'a threat to software supply chains' - report

A new study shows that outdated and vulnerable open-source code unwittingly used by IT chiefs is helping cybercriminals target supply chains

New research shows that open-source code is an increasing problem in the security of the software supply chain, and that most software “ages like milk, not wine”.

The study was commissioned by Endor Labs, a specialist in securing the software supply chain, and it probes the role open source-based software development has on software supply chain security.

The report says that open-source code has been “a major benefit” to cybercriminals in recent supply chain attacks. It adds “that risk indicators covered in widely used initiatives typically can’t flag such attacks”.

Open-source packages can cause cyber vulnerabilities 

Among other headline findings are:

  • A total of 95% of open source vulnerabilities are found in open-source code packages that are not selected by software developers, but are indirectly pulled into projects, making it difficult for organisations to assess the true impact of vulnerabilities.
  • That software ‘ages like milk, not wine, with 50% of the most popular open-source software packages not updated in 2022. Nearly a third (30%) had their last release pre-2018.
  • New does not mean secure. When upgrading to the latest version of a software code package, there’s a 32% chance it will have known security vulnerabilities.

Varun Badhwar, Co-founder and CEO of Endor Labs, says that although open-source software is “the backbone of organisations’ critical infrastructure, 80% of the code in modern applications comes from existing operating systems.

“This is a huge arena,” he says. “And yet it’s been largely overlooked. This report makes clear the depth of the problems in this area, and the need for substantive solutions. If the reuse of open-source code is to live up to its potential, then security needs to move to the top of the priority list.”  

Supply chains open to back door attacks

The report reinforces the message that supply chains are vulnerable to so-called 'back-door attacks', where cybercriminals target vendor companies as away to work their way up to bigger organisations.

A recent Accenture study showed that, in the US, 43% of cyberattacks were aimed at small to medium-sized enterprises (SMEs) but that just 14% of such companies are adequately protected. Those are scary numbers, and it’s a similar story on both sides of the Atlantic.

The British government, meanwhile, reports that almost a third of UK firms with digital supply chains are vulnerable to cyberattacks, with many lacking even basic protective measures. It, too, says most are SMEs – by far the most numerous type of company.

In a cyber-vulnerable company, supply vendors are too often the entry point for malware, ransomware or denial of service attacks, which then work their way upstream or downstream to the organisation itself.


Featured Articles

Why you Should Automate your Supply Chain Analytics

Supply Chain Digital takes a look at some key vendors to consider when your business is automating its supply chain analytics

P&SC LIVE New York welcomes Amanda Davies, Mars Snacking

Amanda Davies, Chief R&D, Procurement and Sustainability Officer at Mars Snacking, is set to speak at Procurement & Supply Chain LIVE New York

P&SC LIVE New York welcomes Kirsten Loegering, ServiceNow

Kirsten Loegering, VP of Product Management, Finance and Supply Chain Workflows at ServiceNow, will speak at Procurement & Supply Chain LIVE New York

P&SC LIVE New York welcomes Dean Ocampo, ServiceNow

Digital Supply Chain

P&SC LIVE London Welcomes New Sponsor – LeanLinking


Procurement & Supply Chain LIVE Dubai is LIVE!