Open source reliance is creating a bunch of security issues

News
By
published

OSS has many benefits, but creates plenty of risk too

open source software
(Image credit: Pixabay)

Although many companies are heavily reliant on open source software (OSS) as they seek to accelerate their digital efforts, a new report from VMware Tanzu suggests IT leaders are also conscious of the inherent risks.

Based on a poll of executives, team managers and open source contributors, the report states that 95% of companies use OSS in production, with larger enterprises (1,000+ employees) the most likely to use community open source.

They see many benefits to OSS in production, including reduced costs, more flexibility, a large community that acts as support, as well as improved developer productivity.

However, they are also wary of the numerous cybersecurity risks associated with using open source software. For example, using OSS means companies need to rely on the community to fix bugs and patch vulnerabilities. Most respondents (63%) also concede there are no guarantees vulnerabilities will be remedied or patched, while 54% said it was difficult to keep up to date on vulnerabilities in OSS software.

Too many cooks

Further, respondents cited problems with packaging OSS for production, as well as questions of ownership. Many find it challenging to check if dependencies are compliant, while some struggle tracking dependencies installed by package managers. 

For packaging, one in ten organizations use no tools whatsoever, while two-thirds use multiple tools, which only adds further complexity to the process. And while the majority (65%) have at least one team responsible for packaging OSS, some have as many as five teams. 

In most firms, the security team is not ultimately responsible for validating and approving the security of OSS in production, while in a tenth of organizations there is no single owner.

As if the situation wasn't complicated enough, more than half (54%) use different security tools for OSS than they do for other software.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.