Many open-source software components have worrying security risks

Best Keyboards for Programmers
(Image credit: Claudio Schwarz / Unsplash)

New research from Lineaje covering “tens of thousands” of open source projects has uncovered just how many vulnerabilities there are in the software many of us use, and how many don’t have a fix.

The study likens open source software (OSS) to an iceberg, whereby over 80% of the project is invisible. Overall, Lineage found that 82% of all OSS is “inherently risky.”

Unknown and dubious security flaws are concern enough, but the security-focused company points out that many developers are happy to borrow and use code from other projects, leaving vulnerabilities unpatchable by the second party.

Open source code concerns

The heavy reliance on external developers is arguably the most concerning find of the study, which uncovered that only around one-third (32%) of Apache software had been written by Apache. The other two-thirds comprised dependencies from other projects.

Apache’s HTTP server powers an estimated two in five of all websites, with around 320 other active open source projects currently active under the Foundation. According to Lineaje, “ASF cannot patch most of the vulnerabilities.”

Lineaje CEO and co-founder Javed Hasan explained that more code is being assembled than built, thus “it’s imperative that organizations today understand that open-source software has risks and is tamperable, even if it is very popular or provided by an established brand.”

Hasan continues: “Developers do not have X-ray vision to see inside a software component they include nor are most open-source selectors security experts.” The solution, he says, is to adopt software supply chain management tools to improve risk monitoring. 

Craig Hale

With several years’ experience freelancing in tech and automotive circles, Craig’s specific interests lie in technology that is designed to better our lives, including AI and ML, productivity aids, and smart fitness. He is also passionate about cars and the decarbonisation of personal transportation. As an avid bargain-hunter, you can be sure that any deal Craig finds is top value!

Read more
Holographic representation of cloud computing over open businessman's hand
Businesses are struggling to address vulnerabilities hidden in phantom dependencies
coding
Popular open source vulnerability scanner Nuclei forced to patch worrying security flaw
API
Businesses are being plagued by API security risks - with nearly 99% affected
Security
Removing software supply chain blind spots that put public sector organizations at risk
Hacker Typing
Racing against time on a menacing caldera: survey finds majority of organizations take days to tackle critical vulnerabilities, each of them a potential open goal for cybercriminals
A digital themed isometric showing a neon padlock in the foreground, and a technological diagram of a processor logic board in the background.
Third-party data breaches have become a major security concern
Latest in Security
Isometric demonstrating multi-factor authentication using a mobile device.
NCSC gets influencers to sing the praises of 2FA
Sam Altman and OpenAI
OpenAI is upping its bug bounty rewards as security worries rise
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Dangerous new CoffeeLoader malware executes on your GPU to get past security tools
China
Notorious Chinese hackers FamousSparrow allegedly target US financial firms
A digital representation of a lock
NYU website defaced as hacker leaks info on a million students
NHS
NHS IT supplier hit with major fine following ransomware attack
Latest in News
Nintendo Switch 2 Joy-Con up-close from app store
Nintendo's new app gave us another look at the Switch 2, and there's something different with the Joy-Con
cheap Nintendo Switch game deals sales
Nintendo didn't anticipate that Mario Kart 8 Deluxe was 'going to be the juggernaut' for the Nintendo Switch when it was ported to the console, according to former employees
Three angles of the Apple MacBook Air 15-inch M4 laptop above a desk
Apple MacBook Air 15-inch (M4) review roundup – should you buy Apple's new lightweight laptop?
Witchbrook
Witchbrook, the life-sim I've been waiting years for, finally has a release window and it's sooner than you think
Amazon Echo Smart Speaker
Amazon is experimenting with renaming Echo speakers to Alexa speakers, and it's about time
Shigeru Miyamoto presents Nintendo Today app
Nintendo Today smartphone app is out now on iOS and Android devices – and here's what it does