An analysis of more than five million open-source software packages published by Lineaje, a provider of a platform for tracking open-source software components, finds 95% of security issues involve some type of open-source software package dependency, with more than half (51%) of the vulnerabilities discovered having no known existing fix available.
Overall, the report concludes that 90% of modern applications use open-source components, with a typical application consisting of about 70% open source while the rest is private first-party code or third-party code.
The report also noted that 5% to 8% of all open-source components of any application were contributed from an unknown source, had been tampered with, or were of dubious origin. More troubling still, 70% of open-source software components are either no longer maintained or poorly maintained, according to the report.
Lineaje CEO Javed Hasan said that, ironically, much of that older code is more secure than well-maintained components because more frequent updates create more opportunities for vulnerabilities to be introduced. The report finds open-source projects staffed by very small teams (<10) and large teams (>50) deliver more risky packages than mid-sized teams. Small teams deliver 330% more risky code than mid-sized teams, while larger teams deliver packages with 40% more risk than mid-sized teams.
Additionally, the report finds contributors from United States commit more code to open-source projects than those from any other country, with Russia close behind. However, 20% of American contributors choose to remain anonymous, twice the ratio of Russian contributors and three times that of Chinese contributors.
There are plenty of reasons that contributors might prefer to remain anonymous, including corporate policies that forbid making contributions to open-source software projects, but many IT leaders don’t realize the extent to which the provenance of the code being used is not known, said Hasan.
The challenge is that in addition to relying on code of uncertain provenance, open-source software typically incorporates other open-source code to create an indirect dependency, with some projects having as many as 60 layers of components that were created by more than a dozen other projects.
More than 15% of open-source components are also using multiple versions of those components simply because application developers are more concerned about breaking an application than they are about potential vulnerabilities.
It is, as a result, all but impossible for many organizations to address open-source software security issues on their own, said Hasan. Many organizations wind up wasting a significant amount of time trying to remediate vulnerabilities that once investigated require a developer to create a patch. That issue will likely be further exacerbated as more organizations rely on artificial intelligence (AI) tools that generate code using examples of open-source software collected from across the web, added Hasan.
None of these issues are likely to reduce the amount of dependency on open-source software any time soon, but it’s clear there is cause for concern in an era where cybercriminals have become more adept than ever at exploiting weaknesses in software supply chains that with each passing day only become more dependent on open source software.
