Open source 'a threat to software supply chains' - report

Share this article
Share this article
Prioritise Us on Google
A new report says open-source code has been ā€œa major benefitā€ to cybercriminals in recent supply chain attacks.
A new study shows that outdated and vulnerable open-source code unwittingly used by IT chiefs is helping cybercriminals target supply chains

New research shows that open-source code is an increasing problem in the security of the software supply chain, and that most software ā€œages like milk, not wineā€.

The study was commissioned by Endor Labs, a specialist in securing the software supply chain, and it probes the role open source-based software development has on software supply chain security.

The report says that open-source code has been ā€œa major benefitā€ to cybercriminals in recent supply chain attacks. It adds ā€œthat risk indicators covered in widely used initiatives typically can’t flag such attacksā€.

Open-source packages can cause cyber vulnerabilities 

Among other headline findings are:

  • A total of 95% of open source vulnerabilities are found in open-source code packages that are not selected by software developers, but are indirectly pulled into projects, making it difficult for organisations to assess the true impact of vulnerabilities.
  • That software ā€˜ages like milk, not wine, with 50% of the most popular open-source software packages not updated in 2022. Nearly a third (30%) had their last release pre-2018.
  • New does not mean secure. When upgrading to the latest version of a software code package, there’s a 32% chance it will have known security vulnerabilities.

Varun Badhwar, Co-founder and CEO of Endor Labs, says that although open-source software is ā€œthe backbone of organisations’ critical infrastructure, 80% of the code in modern applications comes from existing operating systems.

ā€œThis is a huge arena,ā€ he says. ā€œAnd yet it’s been largely overlooked. This report makes clear the depth of the problems in this area, and the need for substantive solutions. If the reuse of open-source code is to live up to its potential, then security needs to move to the top of the priority list.ā€  

Supply chains open to back door attacks

The report reinforces the message that supply chains are vulnerable to so-called 'back-door attacks', where cybercriminals target vendor companies as away to work their way up to bigger organisations.

A recent Accenture study showed that, in the US, 43% of cyberattacks were aimed at small to medium-sized enterprises (SMEs) but that just 14% of such companies are adequately protected. Those are scary numbers, and it’s a similar story on both sides of the Atlantic.

The British government, meanwhile, reports that almost a third of UK firms with digital supply chains are vulnerable to cyberattacks, with many lacking even basic protective measures. It, too, says most are SMEs – by far the most numerous type of company.

In a cyber-vulnerable company, supply vendors are too often the entry point for malware, ransomware or denial of service attacks, which then work their way upstream or downstream to the organisation itself.