Open source 'a threat to software supply chains' - report

Share
A new report says open-source code has been “a major benefit” to cybercriminals in recent supply chain attacks.
A new study shows that outdated and vulnerable open-source code unwittingly used by IT chiefs is helping cybercriminals target supply chains

New research shows that open-source code is an increasing problem in the security of the software supply chain, and that most software “ages like milk, not wine”.

The study was commissioned by Endor Labs, a specialist in securing the software supply chain, and it probes the role open source-based software development has on software supply chain security.

The report says that open-source code has been “a major benefit” to cybercriminals in recent supply chain attacks. It adds “that risk indicators covered in widely used initiatives typically can’t flag such attacks”.

Open-source packages can cause cyber vulnerabilities 

Among other headline findings are:

  • A total of 95% of open source vulnerabilities are found in open-source code packages that are not selected by software developers, but are indirectly pulled into projects, making it difficult for organisations to assess the true impact of vulnerabilities.
  • That software ‘ages like milk, not wine, with 50% of the most popular open-source software packages not updated in 2022. Nearly a third (30%) had their last release pre-2018.
  • New does not mean secure. When upgrading to the latest version of a software code package, there’s a 32% chance it will have known security vulnerabilities.

Varun Badhwar, Co-founder and CEO of Endor Labs, says that although open-source software is “the backbone of organisations’ critical infrastructure, 80% of the code in modern applications comes from existing operating systems.

“This is a huge arena,” he says. “And yet it’s been largely overlooked. This report makes clear the depth of the problems in this area, and the need for substantive solutions. If the reuse of open-source code is to live up to its potential, then security needs to move to the top of the priority list.”  

Supply chains open to back door attacks

The report reinforces the message that supply chains are vulnerable to so-called 'back-door attacks', where cybercriminals target vendor companies as away to work their way up to bigger organisations.

A recent Accenture study showed that, in the US, 43% of cyberattacks were aimed at small to medium-sized enterprises (SMEs) but that just 14% of such companies are adequately protected. Those are scary numbers, and it’s a similar story on both sides of the Atlantic.

The British government, meanwhile, reports that almost a third of UK firms with digital supply chains are vulnerable to cyberattacks, with many lacking even basic protective measures. It, too, says most are SMEs – by far the most numerous type of company.

In a cyber-vulnerable company, supply vendors are too often the entry point for malware, ransomware or denial of service attacks, which then work their way upstream or downstream to the organisation itself.

Share

Featured Articles

How Unilever and Amazon Ensure a Seamless Supply Chain

Efforts to enhance the partnership between Unilever and Amazon include improving supply chain collaboration and streamlining operations

PepsiCo Optimises Production Operations With Blue Yonder

Shanghai Pepsi-Cola Beverage Co. Ltd. optimises its production operations with Blue Yonder solutions implemented by PwC

Moody's: How Supply Chain ESG Rules are Reshaping Business

As supply chain regulations tighten, operational costs may rise according to Moody's 2025 ESG Outlook, which also links rated debt to higher climate risk

Kinaxis and NTT Data: Reshaping Supply Chain Modernisation

Technology

The Supply Chain Year in Stories: December 2024

Operations

The Supply Chain Year in Stories: October 2024

Operations