Open-source security really shouldn't be this leaky
Ethical software comes at a price, report claims
As businesses become increasingly reliant on free and open source (FOSS) software, unnecessary risks to their security posture are being taken.
A report from software supply chain security firm Sonatype paints a dire picture of the types of open-source software that businesses are relying on, perhaps as a means to cut software costs.
Its State of the Software Supply Chain Report found developers download 1.2 billion vulnerable dependencies every month, and of that number, 96% have had a non-vulnerable alternative.
A surge in OSS supply chain attacks
Attacking open-source repositories that are later downloaded and integrated into corporate software is a clear example of a supply chain cyberattack.
With some 1,500 dependency changes per application every year, maintaining open-source ecosystems puts a great deal of pressure on developers, and mistakes are always going to be made.
Perhaps as a result, Sonatype is reporting that this type of cyberactivity has seen a massive surge, increasing by 633% year-on-year.
However, it believes there's a solution: primarily, minimizing dependencies and speeding up software updates on endpoints. It also recommends raising awareness of vulnerable FOSS dependencies among engineering professionals.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Sonatype found that over two-thirds (68%) were confident their apps weren’t using vulnerable libraries, despite that fact that the same percentage of enterprise apps - 68% - were found to contain known vulnerabilities in their open-source software components.
What’s more, IT managers were over twice as likely to believe that their firms address software issues regularly during the development stage than their IT security peers.
For Sonatype, businesses need to simplify and optimize the software development process with smarter tools and more visibility, and better automation.
Supply chain attacks have been some of the most devastating cyber-incidents ever in recent years, including incidents based on the log4j vulnerability, and the SolarWinds compromise. Even today, cybercriminals are compromising organizations of all shapes and sizes using the log4j flaw.
- These are the best firewalls around
Via: VentureBeat
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.