AI-fueled attacks and hyperconnected IT environments have made threat exposure one of the most urgent cybersecurity challenges facing enterprises today. In response, Check Point® Software Technologies Ltd.(link is external) announced a definitive agreement to acquire Veriti Cybersecurity, the first fully automated, multi-vendor pre-emptive threat exposure and mitigation platform.
Mitigating Cybersecurity Risk in Open-Source Software
October 02, 2024
Open-source software has injected fun and excitement into the lives of IT professionals and technology hobbyists alike. Collaborative by nature, the software can be written by anyone and distributed under licenses that grant others the right to use, change and share the code. Open-source software is foundational for most technology we use today and can result in very valuable solutions that are extensively peer reviewed and maintained.
It is also proliferating fast. Synopsys' 2024 Open Source Security and Risk Analysis (OSSRA) report found that of 1,000 code bases audited, 96% contained open-source code and 77% of all source code and files originated from open-source. Most forecasters expect open-source software growth of close to 20% annually over the next decade, with the size of the market now generally estimated between $30 billion and $40 billion.
Unsurprisingly, open-source software's lineage is complex. Whereas commercial software is typically designed, built and supported by one corporate entity, open-source code could be written by a developer, a well-resourced open-sourced community or a teenage whiz kid.
Libraries containing all of this open-source code, procedures and scripts are extensive. They can contain libraries within libraries, each with its own family tree. A single open-source project may have thousands of lines of code from hundreds of authors which can make line-by-line code analysis impractical and may result in vulnerabilities slipping through the cracks.
These challenges are further exacerbated by the fact that many libraries are stored on public repositories such as GitHub, which may be compromised by bad actors injecting malicious code into a component. Vulnerabilities can also be accidentally introduced by developers. Synopsys' OSSRA report found that 74% of the audited code bases had high-risk vulnerabilities.
And don't forget patching, updates and security notifications that are standard practices from commercial suppliers but likely lacking (or far slower) in the world of open-source software. In addition, supply chain cyber risk is turbocharged. The software generally lacks formal records containing the details and supply-chain relationships of the components, or so-called Software Bill of Materials (SBOM).
Add it all up and these vulnerabilities, along with the rapid growth of open-source software, create a vast and rapidly expanding cyberattack environment.
Examples of this risk are everywhere. In April, the discovery of malicious code in the XZ Utils(link is external) showed attackers had spent years trying to gain remote administrator access to Linux systems. They were thwarted by a software engineer who stumbled across the code by accident, but a successful attack would have been unprecedented on an open-source supply chain in terms of scale.
Another major security scare came in November 2021 with a critical vulnerability discovered in the Log4j logging tool(link is external), which is used by millions of computers running online services. Known as the Log4Shell, it was considered a zero-day vulnerability that had most likely been exploited before its discovery.
Consumers of open-source software need to make cybersecurity a priority
Incidents like these are raising much needed awareness about open-source cyber risk. Unfortunately, project developers are still creating solutions without considering security, quality control and testing history. That means consumers of open-source software need to make cybersecurity a priority.
Where do we go from here?
Companies need to implement concrete standards on what can be downloaded and what vetting will occur before the software is incorporated. These standards should incorporate the software's lineage, previous known vulnerabilities and whether those have been addressed. Companies must be clear about how the software is supported — if at all. It may sound obvious, but they also need to ensure they are using the latest version.
Next, careful attention should be paid to any potential license violations. Open-source components often do not have a license at all or have one that is incompatible with the intended use.
Supply chain vulnerabilities should also be assessed by requesting evidence of suppliers' security controls and secure development practices. Open-source software should be included in routine vulnerability and security scanning and patch management.
Companies who utilize open-source software should also consider engaging a cyber insurance provider. In addition to providing responsive insurance coverage, many carriers offer proactive services to help companies assess cyber risks and monitor IT environments and even send threat alerts (as was the case with Log4J).
Companies which fail to conduct proper cyber due diligence when deploying open-source software or neglect to incorporate it into their scanning are exposing themselves and third parties to malicious activity and the potential for liability issues.
Democratic and nimble, open-source software delivers innovation at speed by vastly reducing development and testing times. But its usage needs to be balanced by compliance and security.
Industry News
May 27, 2025
May 27, 2025
LambdaTest announced the launch of its Automation MCP Server, a solution designed to simplify and accelerate the process of triaging test failures.
May 27, 2025
DefectDojo announced the launch of their next-gen Security Operations Center (SOC) capabilities for DefectDojo Pro, which provides both SOC and AppSec professionals a unified platform for noise reduction and prioritization of SOC alerts and AppSec findings.
May 22, 2025
Check Point® Software Technologies Ltd.(link is external) has been recognized on Newsweek’s 2025 list of America’s Best Cybersecurity Companies(link is external).
May 22, 2025
Red Hat announced enhanced features to manage Red Hat Enterprise Linux.
May 22, 2025
StackHawk has taken on $12 Million in additional funding from Sapphire and Costanoa Ventures to help security teams keep up with the pace of AI-driven development.
May 21, 2025
Red Hat announced jointly-engineered, integrated and supported images for Red Hat Enterprise Linux across Amazon Web Services (AWS), Google Cloud and Microsoft Azure.
May 21, 2025
Komodor announced the integration of the Komodor platform with Internal Developer Portals (IDPs), starting with built-in support for Backstage and Port.
May 21, 2025
Operant AI announced Woodpecker, an open-source, automated red teaming engine, that will make advanced security testing accessible to organizations of all sizes.
May 21, 2025
As part of Summer '25 Edition, Shopify is rolling out new tools and features designed specifically for developers.
May 21, 2025
Lenses.io announced the release of a suite of AI agents that can radically improve developer productivity.
May 20, 2025
Google unveiled a significant wave of advancements designed to supercharge how developers build and scale AI applications – from early-stage experimentation right through to large-scale deployment.
May 20, 2025
Red Hat announced Red Hat Advanced Developer Suite, a new addition to Red Hat OpenShift, the hybrid cloud application platform powered by Kubernetes, designed to improve developer productivity and application security with enhancements to speed the adoption of Red Hat AI technologies.
May 20, 2025
Perforce Software announced Perforce Intelligence, a blueprint to embed AI across its product lines and connect its AI with platforms and tools across the DevOps lifecycle.
May 20, 2025
CloudBees announced CloudBees Unify, a strategic leap forward in how enterprises manage software delivery at scale, shifting from offering standalone DevOps tools to delivering a comprehensive, modular solution for today’s most complex, hybrid software environments.
