TNS
VOXPOP
Where are you using WebAssembly?
Wasm promises to let developers build once and run anywhere. Are you using it yet?
At work, for production apps
0%
At work, but not for production apps
0%
I don’t use WebAssembly but expect to when the technology matures
0%
I have no plans to use WebAssembly
0%
No plans and I get mad whenever I see the buzzword
0%
Open Source / Security / Software Development

Endor Labs Station 9’s Top 10 Open Source Security Risks

Endor Labs' Station 9 has listed the top 10 open source security and operational risks for 2023.
Mar 14th, 2023 6:00am by
Featued image for: Endor Labs Station 9’s Top 10 Open Source Security Risks
Featured image via Unsplash.

Working out what’s what with your program’s open source elements can be a real pain in the rump.

It can be really hard to track a software project’s open source dependencies and their security ramifications. Not that will come as any surprise to you. Here’s Endor Labs Station 9‘s and twenty CISOs and CTOs’ top 10 open source security and operational risks.

The Top 10

Many of these will be all too familiar to you:

  • Components with known vulnerabilities.
  • Compromised legitimate packages.
  • Name confusion attacks. For example, typo-squatting, brand-jacking, and combo-squatting.
  • Unmaintained software.
  • Out-of-date software.
  • Untracked dependencies.
  • License risk.
  • Immature software.
  • Unapproved code changes.
  • Under/over-powered dependency.

Honestly, I’m not that keen on this list. I mean, these are all problems that proprietary code comes with as well. In addition, some are really the same thing. Unmaintained and out-of-date software are often two sides of the same coin. And, coping with open source licenses in your code is just part of any software company’s business these days.

Endor Labs is correct, though, that there is currently no consistent method for assessing and measuring the risks associated with open source. But, that’s changing. The Cybersecurity and Infrastructure Security Agency (CISA)‘s Vulnerability Exploitability eXchange (VEX) specification is addressing this very problem by integrating security advisories into a machine-readable format. Early implementations of this, such as Chainguard’s OpenVEX, are adding this to Software Bills Of Materials (SBOMs).

Dependencies

The report also underscores the importance of understanding the properties of open source dependencies and their corresponding projects and stakeholders. The researchers found that 95% of vulnerabilities exist in transitive dependencies. Adding insult to injury, many of these can cause incompatibility issues when the code is updated. Managing compatibility and security is, indeed, a real problem child in today’s programming.

Endor Labs offers its own open source software lifecycle management services. These range from dependency selection and vulnerability prioritization to SBOM and compliance management. Unless your business is security software, you should consider their offerings or those of other development security companies. Securing code today is a full-time job in and of itself.

Group Created with Sketch.
TNS owner Insight Partners is an investor in: Pragma.
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.