Many open-source software components have worrying security risks
Over three-quarters of open source software is “inherently risky”, report claims
New research from Lineaje covering “tens of thousands” of open source projects has uncovered just how many vulnerabilities there are in the software many of us use, and how many don’t have a fix.
The study likens open source software (OSS) to an iceberg, whereby over 80% of the project is invisible. Overall, Lineage found that 82% of all OSS is “inherently risky.”
Unknown and dubious security flaws are concern enough, but the security-focused company points out that many developers are happy to borrow and use code from other projects, leaving vulnerabilities unpatchable by the second party.
Open source code concerns
The heavy reliance on external developers is arguably the most concerning find of the study, which uncovered that only around one-third (32%) of Apache software had been written by Apache. The other two-thirds comprised dependencies from other projects.
Apache’s HTTP server powers an estimated two in five of all websites, with around 320 other active open source projects currently active under the Foundation. According to Lineaje, “ASF cannot patch most of the vulnerabilities.”
Lineaje CEO and co-founder Javed Hasan explained that more code is being assembled than built, thus “it’s imperative that organizations today understand that open-source software has risks and is tamperable, even if it is very popular or provided by an established brand.”
Hasan continues: “Developers do not have X-ray vision to see inside a software component they include nor are most open-source selectors security experts.” The solution, he says, is to adopt software supply chain management tools to improve risk monitoring.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
- Check out our roundup of the best endpoint protection software
With several years’ experience freelancing in tech and automotive circles, Craig’s specific interests lie in technology that is designed to better our lives, including AI and ML, productivity aids, and smart fitness. He is also passionate about cars and the decarbonisation of personal transportation. As an avid bargain-hunter, you can be sure that any deal Craig finds is top value!