Mitigating Cybersecurity Risk in Open-Source Software
October 02, 2024

Vincent Weafer
Corvus Insurance

Open-source software has injected fun and excitement into the lives of IT professionals and technology hobbyists alike. Collaborative by nature, the software can be written by anyone and distributed under licenses that grant others the right to use, change and share the code. Open-source software is foundational for most technology we use today and can result in very valuable solutions that are extensively peer reviewed and maintained.

It is also proliferating fast. Synopsys' 2024 Open Source Security and Risk Analysis (OSSRA) report found that of 1,000 code bases audited, 96% contained open-source code and 77% of all source code and files originated from open-source. Most forecasters expect open-source software growth of close to 20% annually over the next decade, with the size of the market now generally estimated between $30 billion and $40 billion.

Unsurprisingly, open-source software's lineage is complex. Whereas commercial software is typically designed, built and supported by one corporate entity, open-source code could be written by a developer, a well-resourced open-sourced community or a teenage whiz kid.

Libraries containing all of this open-source code, procedures and scripts are extensive. They can contain libraries within libraries, each with its own family tree. A single open-source project may have thousands of lines of code from hundreds of authors which can make line-by-line code analysis impractical and may result in vulnerabilities slipping through the cracks.

These challenges are further exacerbated by the fact that many libraries are stored on public repositories such as GitHub, which may be compromised by bad actors injecting malicious code into a component. Vulnerabilities can also be accidentally introduced by developers. Synopsys' OSSRA report found that 74% of the audited code bases had high-risk vulnerabilities.

And don't forget patching, updates and security notifications that are standard practices from commercial suppliers but likely lacking (or far slower) in the world of open-source software. In addition, supply chain cyber risk is turbocharged. The software generally lacks formal records containing the details and supply-chain relationships of the components, or so-called Software Bill of Materials (SBOM).

Add it all up and these vulnerabilities, along with the rapid growth of open-source software, create a vast and rapidly expanding cyberattack environment.

Examples of this risk are everywhere. In April, the discovery of malicious code in the XZ Utils showed attackers had spent years trying to gain remote administrator access to Linux systems. They were thwarted by a software engineer who stumbled across the code by accident, but a successful attack would have been unprecedented on an open-source supply chain in terms of scale.

Another major security scare came in November 2021 with a critical vulnerability discovered in the Log4j logging tool, which is used by millions of computers running online services. Known as the Log4Shell, it was considered a zero-day vulnerability that had most likely been exploited before its discovery.

Consumers of open-source software need to make cybersecurity a priority

Incidents like these are raising much needed awareness about open-source cyber risk. Unfortunately, project developers are still creating solutions without considering security, quality control and testing history. That means consumers of open-source software need to make cybersecurity a priority.

Where do we go from here?

Companies need to implement concrete standards on what can be downloaded and what vetting will occur before the software is incorporated. These standards should incorporate the software's lineage, previous known vulnerabilities and whether those have been addressed. Companies must be clear about how the software is supported — if at all. It may sound obvious, but they also need to ensure they are using the latest version.

Next, careful attention should be paid to any potential license violations. Open-source components often do not have a license at all or have one that is incompatible with the intended use.

Supply chain vulnerabilities should also be assessed by requesting evidence of suppliers' security controls and secure development practices. Open-source software should be included in routine vulnerability and security scanning and patch management.

Companies who utilize open-source software should also consider engaging a cyber insurance provider. In addition to providing responsive insurance coverage, many carriers offer proactive services to help companies assess cyber risks and monitor IT environments and even send threat alerts (as was the case with Log4J).

Companies which fail to conduct proper cyber due diligence when deploying open-source software or neglect to incorporate it into their scanning are exposing themselves and third parties to malicious activity and the potential for liability issues.

Democratic and nimble, open-source software delivers innovation at speed by vastly reducing development and testing times. But its usage needs to be balanced by compliance and security.

Vincent Weafer is CTO at Corvus Insurance
Share this

Industry News

December 19, 2024

Check Point® Software Technologies Ltd. has been recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for Email Security Platforms (ESP).

December 19, 2024

Progress announced its partnership with the American Institute of CPAs (AICPA), the world’s largest member association representing the CPA profession.

December 18, 2024

Kurrent announced $12 million in funding, its rebrand from Event Store and the official launch of Kurrent Enterprise Edition, now commercially available.

December 18, 2024

Blitzy announced the launch of the Blitzy Platform, a category-defining agentic platform that accelerates software development for enterprises by autonomously batch building up to 80% of software applications.

December 17, 2024

Sonata Software launched IntellQA, a Harmoni.AI powered testing automation and acceleration platform designed to transform software delivery for global enterprises.

December 17, 2024

Sonar signed a definitive agreement to acquire Tidelift, a provider of software supply chain security solutions that help organizations manage the risk of open source software.

December 17, 2024

Kindo formally launched its channel partner program.

December 16, 2024

Red Hat announced the latest release of Red Hat Enterprise Linux AI (RHEL AI), Red Hat’s foundation model platform for more seamlessly developing, testing and running generative artificial intelligence (gen AI) models for enterprise applications.

December 16, 2024

Fastly announced the general availability of Fastly AI Accelerator.

December 12, 2024

Amazon Web Services (AWS) announced the launch and general availability of Amazon Q Developer plugins for Datadog and Wiz in the AWS Management Console.

December 12, 2024

vFunction released new capabilities that solve a major microservices headache for development teams – keeping documentation current as systems evolve – and make it simpler to manage and remediate tech debt.

December 11, 2024

CyberArk announced the launch of FuzzyAI, an open-source framework that helps organizations identify and address AI model vulnerabilities, like guardrail bypassing and harmful output generation, in cloud-hosted and in-house AI models.

December 11, 2024

Grid Dynamics announced the launch of its developer portal.

December 10, 2024

LTIMindtree announced a strategic partnership with GitHub.