Mitigating Cybersecurity Risk in Open-Source Software
October 02, 2024

Vincent Weafer
Corvus Insurance

Open-source software has injected fun and excitement into the lives of IT professionals and technology hobbyists alike. Collaborative by nature, the software can be written by anyone and distributed under licenses that grant others the right to use, change and share the code. Open-source software is foundational for most technology we use today and can result in very valuable solutions that are extensively peer reviewed and maintained.

It is also proliferating fast. Synopsys' 2024 Open Source Security and Risk Analysis (OSSRA) report found that of 1,000 code bases audited, 96% contained open-source code and 77% of all source code and files originated from open-source. Most forecasters expect open-source software growth of close to 20% annually over the next decade, with the size of the market now generally estimated between $30 billion and $40 billion.

Unsurprisingly, open-source software's lineage is complex. Whereas commercial software is typically designed, built and supported by one corporate entity, open-source code could be written by a developer, a well-resourced open-sourced community or a teenage whiz kid.

Libraries containing all of this open-source code, procedures and scripts are extensive. They can contain libraries within libraries, each with its own family tree. A single open-source project may have thousands of lines of code from hundreds of authors which can make line-by-line code analysis impractical and may result in vulnerabilities slipping through the cracks.

These challenges are further exacerbated by the fact that many libraries are stored on public repositories such as GitHub, which may be compromised by bad actors injecting malicious code into a component. Vulnerabilities can also be accidentally introduced by developers. Synopsys' OSSRA report found that 74% of the audited code bases had high-risk vulnerabilities.

And don't forget patching, updates and security notifications that are standard practices from commercial suppliers but likely lacking (or far slower) in the world of open-source software. In addition, supply chain cyber risk is turbocharged. The software generally lacks formal records containing the details and supply-chain relationships of the components, or so-called Software Bill of Materials (SBOM).

Add it all up and these vulnerabilities, along with the rapid growth of open-source software, create a vast and rapidly expanding cyberattack environment.

Examples of this risk are everywhere. In April, the discovery of malicious code in the XZ Utils showed attackers had spent years trying to gain remote administrator access to Linux systems. They were thwarted by a software engineer who stumbled across the code by accident, but a successful attack would have been unprecedented on an open-source supply chain in terms of scale.

Another major security scare came in November 2021 with a critical vulnerability discovered in the Log4j logging tool, which is used by millions of computers running online services. Known as the Log4Shell, it was considered a zero-day vulnerability that had most likely been exploited before its discovery.

Consumers of open-source software need to make cybersecurity a priority

Incidents like these are raising much needed awareness about open-source cyber risk. Unfortunately, project developers are still creating solutions without considering security, quality control and testing history. That means consumers of open-source software need to make cybersecurity a priority.

Where do we go from here?

Companies need to implement concrete standards on what can be downloaded and what vetting will occur before the software is incorporated. These standards should incorporate the software's lineage, previous known vulnerabilities and whether those have been addressed. Companies must be clear about how the software is supported — if at all. It may sound obvious, but they also need to ensure they are using the latest version.

Next, careful attention should be paid to any potential license violations. Open-source components often do not have a license at all or have one that is incompatible with the intended use.

Supply chain vulnerabilities should also be assessed by requesting evidence of suppliers' security controls and secure development practices. Open-source software should be included in routine vulnerability and security scanning and patch management.

Companies who utilize open-source software should also consider engaging a cyber insurance provider. In addition to providing responsive insurance coverage, many carriers offer proactive services to help companies assess cyber risks and monitor IT environments and even send threat alerts (as was the case with Log4J).

Companies which fail to conduct proper cyber due diligence when deploying open-source software or neglect to incorporate it into their scanning are exposing themselves and third parties to malicious activity and the potential for liability issues.

Democratic and nimble, open-source software delivers innovation at speed by vastly reducing development and testing times. But its usage needs to be balanced by compliance and security.

Vincent Weafer is CTO at Corvus Insurance
Share this

Industry News

October 07, 2024

Progress announced the winners of its 2024 OpenEdge North America Partner Awards.

October 07, 2024

RiverMeadow announced support for Red Hat OpenShift Virtualization, enabling organizations to seamlessly run and manage virtual machines alongside containerized applications in a single platform that can run in both on-premises and cloud environments.

October 07, 2024

Netlify announced three new enhancements to its product suite that will enable web application development and content publishing.

October 03, 2024

Check Point® Software Technologies Ltd. announced its position as a leader in The Forrester Wave™: Enterprise Firewalls, Q4 2024 report.

October 03, 2024

Sonar announced two new product capabilities for today’s AI-driven software development ecosystem.

October 03, 2024

Redgate announced a wide range of product updates supporting multiple database management systems (DBMS) across its entire portfolio, designed to support IT professionals grappling with today’s complex database landscape.

October 03, 2024

Elastic announced support for Google Cloud’s Vertex AI platform in the Elasticsearch Open Inference API and Playground.

October 02, 2024

Progress announced the recipients of its 2024 Women in STEM Scholarship Series.

October 02, 2024

SmartBear has integrated the load testing engine of LoadNinja into its automated testing tool, TestComplete.

October 01, 2024

Check Point® Software Technologies Ltd. announced the completion of its acquisition of Cyberint Technologies Ltd., a highly innovative provider of external risk management solutions.

October 01, 2024

Lucid Software announced a robust set of new capabilities aimed at elevating agile workflows for both team-level and program-level planning.

October 01, 2024

Perforce Software announced the Hadoop Service Bundle, a new professional services and support offering from OpenLogic by Perforce.

October 01, 2024

CyberArk announced the successful completion of its acquisition of Venafi, a provider of machine identity management, from Thoma Bravo.

October 01, 2024

Inflectra announced the launch of its AI-powered SpiraApps.

October 01, 2024

The former Synopsys Software Integrity Group has rebranded as Black Duck® Software, a newly independent application security company.