Open-source security really shouldn't be this leaky

News
By published

Ethical software comes at a price, report claims

A hand writing the words Open Source
(Image credit: Shutterstock)

As businesses become increasingly reliant on free and open source (FOSS) software, unnecessary risks to their security posture are being taken. 

A report from software supply chain security firm Sonatype paints a dire picture of the types of open-source software that businesses are relying on, perhaps as a means to cut software costs.

Its State of the Software Supply Chain Report found developers download 1.2 billion vulnerable dependencies every month, and of that number, 96% have had a non-vulnerable alternative.

A surge in OSS supply chain attacks

Attacking open-source repositories that are later downloaded and integrated into corporate software is a clear example of a supply chain cyberattack. 

With some 1,500 dependency changes per application every year, maintaining open-source ecosystems puts a great deal of pressure on developers, and mistakes are always going to be made.

Perhaps as a result, Sonatype is reporting that this type of cyberactivity has seen a massive surge, increasing by 633% year-on-year. 

However, it believes there's a solution: primarily, minimizing dependencies and speeding up software updates on endpoints. It also recommends raising awareness of vulnerable FOSS dependencies among engineering professionals.

Sonatype found that over two-thirds (68%) were confident their apps weren’t using vulnerable libraries, despite that fact that the same percentage of enterprise apps - 68% - were found to contain known vulnerabilities in their open-source software components. 

Read more

> Stay safe with the best antivirus programs right now

> More and more companies are now worried about open source security

> Open source security is rapidly becoming a major concern

What’s more, IT managers were over twice as likely to believe that their firms address software issues regularly during the development stage than their IT security peers. 

For Sonatype, businesses need to simplify and optimize the software development process with smarter tools and more visibility, and better automation.

Supply chain attacks have been some of the most devastating cyber-incidents ever in recent years, including incidents based on the log4j vulnerability, and the SolarWinds compromise. Even today, cybercriminals are compromising organizations of all shapes and sizes using the log4j flaw. 

Via: VentureBeat

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Holographic representation of cloud computing over open businessman's hand
Businesses are struggling to address vulnerabilities hidden in phantom dependencies
Security
Removing software supply chain blind spots that put public sector organizations at risk
Closing the cybersecurity skills gap
The critical need for watertight security across the IT supply chain
coding
Popular open source vulnerability scanner Nuclei forced to patch worrying security flaw
A graphic showing someone on a tablet working through a supply chain.
Security issue in open source software leaves businesses concerned for systems
API
Businesses are being plagued by API security risks - with nearly 99% affected
Latest in Security
Microsoft
"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
Lock on Laptop Screen
Medusa ransomware is able to disable anti-malware tools, so be on your guard
An abstract image of digital security.
Fake file converters are stealing info, pushing ransomware, FBI warns
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Coinbase targeted after recent Github attacks
hacker.jpeg
Key trusted Microsoft platform exploited to enable malware, experts warn
IBM office logo
IBM to provide platform for flagship cyber skills programme for girls
Latest in News
Zendesk Relate 2025
Zendesk Relate 2025 - everything you need to know as the event unfolds
Disney Plus logo with popcorn
You can finally tell Disney+ to stop bugging you about that terrible Marvel show you regret starting
Google Gemini AI
Gemini can now see your screen and judge your tabs
Girl wearing Meta Quest 3 headset interacting with a jungle playset
Latest Meta Quest 3 software beta teases a major design overhaul and VR screen sharing – and I need these updates now
Philips Hue
Philips Hue might be working on a video doorbell, and according to a new report, we just got our first look at it
Microsoft
"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
More about security
An abstract image of digital security.

Fake file converters are stealing info, pushing ransomware, FBI warns
Microsoft

"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
Ugreen \00d7 Genshin Impact Kinich Collectible Gift Box and exclusive Genshin Impact merchandise.

Ugreen reveals exclusive Genshin Impact collection and they're some of the most eye-catching charging products I've ever used
See more latest
Most Popular
Ugreen \00d7 Genshin Impact Kinich Collectible Gift Box and exclusive Genshin Impact merchandise.
Ugreen reveals exclusive Genshin Impact collection and they're some of the most eye-catching charging products I've ever used
Zendesk Relate 2025
Zendesk Relate 2025 - everything you need to know as the event unfolds
Google Gemini AI
Gemini can now see your screen and judge your tabs
iFi iDSD Valkyrie in gold, on a beige desk
iFi's iDSD Valkyrie DAC wants to guide your music to the great hall of Valhalla
The Samsung Galaxy S25 Edge on display the January 22, 2025 Galaxy Unpacked event.
A fresh Samsung Galaxy S25 Edge leak hints at a 2K display and a titanium frame
Philips Hue
Philips Hue might be working on a video doorbell, and according to a new report, we just got our first look at it
SDUNITED AX835-025FF mini PC
This mini PC with the incredible Strix Halo APU is yet another sign AMD may have given up on big brands for bleeding edge tech
Disney Plus logo with popcorn
You can finally tell Disney+ to stop bugging you about that terrible Marvel show you regret starting
Girl wearing Meta Quest 3 headset interacting with a jungle playset
Latest Meta Quest 3 software beta teases a major design overhaul and VR screen sharing – and I need these updates now
Hatch Restore 3 in Putty
You can finally start your day with The Office theme song, and I couldn't be more excited