Check Point® Software Technologies Ltd.(link is external) has been recognized on Newsweek’s 2025 list of America’s Best Cybersecurity Companies(link is external).
Using open source software has many benefits for organizations. It fosters transparency and innovation, provides flexibility and customization, cuts cost on development and enables collaboration among other developers.
However, organizations could open themselves up to risks if the open source software isn't developed securely. According to a recent report, nearly three-quarters of all commercial codebases contain open source software with high-risk vulnerabilities. These vulnerabilities could lead to holes in the software supply chain for bad actors to exploit, risking malicious attacks and data breaches within organizations.
Vulnerabilities have become pervasive across the software supply chain, as have the malicious actors seeking to exploit them, prompting organizations to bolster security throughout the entire software development life cycle (SDLC) to protect their assets. This emphasis on security is particularly critical for those organizations involved in producing and distributing software that utilizes open source components.
Securely developing open source software is crucial for fostering community trust and ensuring safe, global accessibility while also promoting rapid innovation and maintaining legal compliance. Properly executed, it helps organizations see real measurable change in the health of software supply chains.
A Call for Open Source Security Standardization
A high-profile example of how a vulnerability in open source software can result in catastrophic impact is the Log4J incident. Dubbed "Log4Shell," one of the most widespread security vulnerabilities in recent years, Log4J's popular open source logging tool left millions of organizations susceptible to hackers infiltrating and taking total control of their systems. Organizations that were spared direct attacks scrambled to remediate their systems in late 2021, during a typically quiet period.
The vulnerability was even exploited by state-sponsored hackers to target US critical infrastructure and it was used by top ransomware groups LockBit and ALPHV/BlackCat in attacks. The effects were so devastating that years later, companies are dealing with the fallout, all because one open source link in the software supply chain was not secure.
However, identifying the risks within a software supply chain can be challenging. The best way to protect assets and ensure the integrity of the applications and development pipelines is to develop software with security in mind from the start. Failing to do so could have devastating effects.
There is a strong need for standardized security guidelines to enable open source software developers to prioritize security from the outset. Although the advantages of doing so are clear, building universally agreed-upon frameworks and implementing them at scale is a massive undertaking — one that has yet to be fulfilled.
In lieu of standardization, developers can adopt best practices for better software security. From risk assessment to secure coding practices, these principles can foster a proactive approach to mitigating vulnerabilities and enhancing overall software resilience, and act as a roadmap for developers to embed security into every stage of the software development life cycle.
Top 10 Secure Software Development Guiding Principles
Adopting robust guiding principles for secure software development can enhance both the security and transparency of the software supply chain. The following guidelines developed by the Open Source Security Foundation (OpenSSF) End Users Working Group, encourage software organizations to take responsibility for their consumption of open source software by focusing on activities with the greatest impact and providing a roadmap to implement supply chain security best practices.
1. Employ development practices that are in conformance with modern, industry-accepted secure development methods.
2. Learn and apply secure software design principles (such as least privilege).
3.Learn the most common kinds of vulnerabilities and take steps to make them unlikely or limit their impact.
4. Check for and address known and potential critical vulnerabilities prior to releasing software, then monitor for vulnerabilities subsequently throughout the supported life of the product.
5. Harden and secure your software development infrastructure against compromise or infiltration against the same principles, practices, and expectations set for the software developed on and built from them.
6. Prioritize the sourcing of software from suppliers and developers who also pledge to develop in conformance with the secure software development guiding principles, and from projects that publicly report security health metrics and adopt controls to prevent tampering of software packages, and that actively address known/discovered malicious software.
7. Provide software supply chain understandability to consumers of our software consistent with evolving industry standards, practices, and tooling.
8. Manage responsible vulnerability disclosure programs that are inclusive of upstream dependencies and have publicly documented vulnerability reporting and remediation policies.
9. Publish security advisories consistent with evolving industry best practices.
10. Actively collaborate with and participate in industry and regulatory initiatives related to securing the software supply chain, and evangelize adoption of the secure software development guiding principles among your industry peers.
As the benefits of using open source software are clear, developers need to find ways to create and use it safely to protect the whole software supply chain ecosystem. Developing with security in mind from inception and following the top 10 secure software development guiding principles will help increase transparency and security. Following these steps will put you on the path to ensuring you won't be impacted by the next Log4J — or worse — in the future.
Industry News
Red Hat announced enhanced features to manage Red Hat Enterprise Linux.
StackHawk has taken on $12 Million in additional funding from Sapphire and Costanoa Ventures to help security teams keep up with the pace of AI-driven development.
Red Hat announced jointly-engineered, integrated and supported images for Red Hat Enterprise Linux across Amazon Web Services (AWS), Google Cloud and Microsoft Azure.
Komodor announced the integration of the Komodor platform with Internal Developer Portals (IDPs), starting with built-in support for Backstage and Port.
Operant AI announced Woodpecker, an open-source, automated red teaming engine, that will make advanced security testing accessible to organizations of all sizes.
As part of Summer '25 Edition, Shopify is rolling out new tools and features designed specifically for developers.
Lenses.io announced the release of a suite of AI agents that can radically improve developer productivity.
Google unveiled a significant wave of advancements designed to supercharge how developers build and scale AI applications – from early-stage experimentation right through to large-scale deployment.
Red Hat announced Red Hat Advanced Developer Suite, a new addition to Red Hat OpenShift, the hybrid cloud application platform powered by Kubernetes, designed to improve developer productivity and application security with enhancements to speed the adoption of Red Hat AI technologies.
Perforce Software announced Perforce Intelligence, a blueprint to embed AI across its product lines and connect its AI with platforms and tools across the DevOps lifecycle.
CloudBees announced CloudBees Unify, a strategic leap forward in how enterprises manage software delivery at scale, shifting from offering standalone DevOps tools to delivering a comprehensive, modular solution for today’s most complex, hybrid software environments.
Azul and JetBrains announced a strategic technical collaboration to enhance the runtime performance and scalability of web and server-side Kotlin applications.
Docker, Inc.® announced Docker Hardened Images (DHI), a curated catalog of security-hardened, enterprise-grade container images designed to meet today’s toughest software supply chain challenges.
GitHub announced that GitHub Copilot now includes an asynchronous coding agent, embedded directly in GitHub and accessible from VS Code—creating a powerful Agentic DevOps loop across coding environments.