Open Source Software Supply Chain Has Security Risks
upstart writes:
While app development is faster and easier, security is still a concern:
In a report last year, silicon design automation outfit Synopsys found that 97 percent of codebases in 2021 contained open source, and that in four of 17 industries studied - computer hardware and chips, cybersecurity, energy and clean tech, and the Internet of Things (IoT) - open source software (OSS) was in 100 percent of audited codebases. The other verticals had open source in at least 93 percent of theirs. It can help drive efficiency, cost savings, and developer productivity.
"Open source really is everywhere," Fred Bals, senior technical writer at Synopsys, wrote in a blog post about the report.
That said, the increasing use of open source packages in application development also creates a path for threat groups that want to use the software supply chain as a backdoor to myriad targets that depend on it.
The broad use of OSS packaging in development means that often enterprises don't know exactly what's in their software. Having a lot of different hands involved increases complexity, and it's hard to know what's going on in the software supply chain. A report last year from VMware found that concerns about OSS included having to rely on a community to patch vulnerabilities, and the security risks that come with that.
Varun Badhwar, co-founder and CEO of Endor Labs - a startup working to secure OSS in app development - called it "the backbone of our critical infrastructure." But he added that developers and executives are often surprised by how much of their applications' code comes from OSS.
Badhwar noted that 95 percent of all vulnerabilities are found in "transitive dependencies" - open source code packages that are indirectly pulled into projects rather than selected by developers.
[...] Developers pull the source components together and add business logic, Fox told The Register. This way, open source becomes the foundation of the software. What's changed in recent years is the general awareness of it - not only among well-meaning developers that are creating the software from these disparate parts.
"The attackers have figured this out as well," he said. "A big notable change over the last five or so years has been the rise of intentional malware attacks on the supply chain."
Read more of this story at SoylentNews.