Many open-source software components have worrying security risks

Developers are borrowing vulnerabilities as they borrow code from other projects, study finds.

New research from Lineaje (opens in new tab) covering “tens of thousands” of open source projects has uncovered just how many vulnerabilities there are in the software many of us use, and how many don’t have a fix.

The study likens open source software (OSS) to an iceberg, whereby over 80% of the project is invisible. Overall, Lineage found that 82% of all OSS is “inherently risky.”

Unknown and dubious security flaws are concern enough, but the security-focused company points out that many developers are happy to borrow and use code from other projects, leaving vulnerabilities unpatchable by the second party.

Open source code concerns

The heavy reliance on external developers is arguably the most concerning find of the study, which uncovered that only around one-third (32%) of Apache software had been written by Apache. The other two-thirds comprised dependencies from other projects.

Apache’s HTTP server powers an estimated two in five of all websites, with around 320 other active open source projects currently active under the Foundation. According to Lineaje, “ASF cannot patch most of the vulnerabilities.”

Lineaje CEO and co-founder Javed Hasan explained that more code is being assembled than built, thus “it’s imperative that organizations today understand that open-source software has risks and is tamperable, even if it is very popular or provided by an established brand.”

Hasan continues: “Developers do not have X-ray vision to see inside a software component they include nor are most open-source selectors security experts.” The solution, he says, is to adopt software supply chain management tools to improve risk monitoring. 

Leave a Reply