Endor Labs Station 9’s Top 10 Open Source Security Risks
Working out what’s what with your program’s open source elements can be a real pain in the rump.
It can be really hard to track a software project’s open source dependencies and their security ramifications. Not that will come as any surprise to you. Here’s Endor Labs Station 9‘s and twenty CISOs and CTOs’ top 10 open source security and operational risks.
The Top 10
Many of these will be all too familiar to you:
- Components with known vulnerabilities.
- Compromised legitimate packages.
- Name confusion attacks. For example, typo-squatting, brand-jacking, and combo-squatting.
- Unmaintained software.
- Out-of-date software.
- Untracked dependencies.
- License risk.
- Immature software.
- Unapproved code changes.
- Under/over-powered dependency.
Honestly, I’m not that keen on this list. I mean, these are all problems that proprietary code comes with as well. In addition, some are really the same thing. Unmaintained and out-of-date software are often two sides of the same coin. And, coping with open source licenses in your code is just part of any software company’s business these days.
Endor Labs is correct, though, that there is currently no consistent method for assessing and measuring the risks associated with open source. But, that’s changing. The Cybersecurity and Infrastructure Security Agency (CISA)‘s Vulnerability Exploitability eXchange (VEX) specification is addressing this very problem by integrating security advisories into a machine-readable format. Early implementations of this, such as Chainguard’s OpenVEX, are adding this to Software Bills Of Materials (SBOMs).
The report also underscores the importance of understanding the properties of open source dependencies and their corresponding projects and stakeholders. The researchers found that 95% of vulnerabilities exist in transitive dependencies. Adding insult to injury, many of these can cause incompatibility issues when the code is updated. Managing compatibility and security is, indeed, a real problem child in today’s programming.
Endor Labs offers its own open source software lifecycle management services. These range from dependency selection and vulnerability prioritization to SBOM and compliance management. Unless your business is security software, you should consider their offerings or those of other development security companies. Securing code today is a full-time job in and of itself.