70% of open-source components are poorly or no longer maintained
The geographic distribution of open-source contributions introduces geopolitical risks that organizations must urgently consider, especially with rising nation-state attacks, according to Lineaje.
Open-source code risks rise with anonymous contributions
Microsoft estimates that its customers face 600 million cyberattacks daily, 24% of which are nation-state attackers targeting the IT sector. With software supporting increasingly vital systems, the origin of code has become a matter of national and economic security.
34% of open-source contributions come from the US, 13% from Russia, and smaller percentages from Canada, the UK, and China.
Of the US open-source contributions, 20% are anonymous — more than twice the rate of its Russian counterparts and three times that of Chinese contributors. Globally, 5-8% of all open-source components of any application are unknown, tampered with, or of dubious origin – many of which are contributed anonymously.
The implication is that developers are incorporating code into projects without fully understanding its lineage and functionality, potentially introducing hidden backdoors, malware, or critical vulnerabilities and posing significant risks.
Vital industries such as defense systems, water, electricity, banking, and retail struggle with software maintenance. Because these industries often have contributors from multiple countries, excluding any adversarial nations completely is challenging.
Many vulnerabilities lack fixes
The report revealed that regardless of geographic origin, the average mid-size application has several disturbing trends leading to critical vulnerabilities.
Open-source contributes 2 to 9 times the code your developers write, and 95% of security weaknesses originate within open-source package dependencies. 51% of these vulnerabilities, across all CVE severity levels, have no known fixes. Additionally, 70% of open-source components are no longer maintained or poorly maintained.
Surprisingly, unmaintained open-source is less vulnerable than well-maintained open-source, which is 1.8 times more vulnerable. The high rate of change in well-maintained components enhances risks.
Individual open-source projects embed up to 60 layers of components from dozens of open-source organizations. They are often assembled in a complex Lego structure in a single dependency that developers include in their organizations’ applications, leading to poor risk assessment and even poorer remediation approaches. Knowing which vulnerabilities developers can fix easily and which they should not, eliminates at least 50% of the vulnerability fix effort and improves security posture by 20-70%.
“Amidst current geopolitical tensions and global dependency on open-source code, it’s critical for enterprises to equip themselves with robust software supply chain security and maintenance tools that uncover hidden security gaps and provide a comprehensive, real-time view of potential vulnerabilities – while ensuring compliance with ever-evolving standards,” said Javed Hasan, CEO, Lineaje.
Team size impacts quality and security
15% of open-source components have multiple versions in a single application, making remediation efforts more difficult. A mid-sized application can pull in 1.4 million lines of code across 139 languages and often drags in more risky memory-unsafe languages. Secure-by-design organizations may use memory-safe languages in private code, but their dependencies exacerbate security risks unless language is a selection criterion for open-source dependencies.
Open-source projects staffed by very small teams (<10) and large teams (>50) deliver more risky packages than mid-sized teams. Small teams deliver 330% more risky projects than mid-sized teams, while larger teams deliver packages with 40% more risk than mid-sized teams.
“Open-source projects enable industry-transforming product innovation for entrepreneurs, government agencies, and companies around the world. However, with great innovation comes even greater risks – but that doesn’t mean the risks aren’t worth taking,” said Manish Gaur, Director, Product Security VMWare by Broadcom.
Must read:
- 33 open-source cybersecurity solutions you didn’t know you needed
- 20 free cybersecurity tools you might have missed
- 15 open-source cybersecurity tools you’ll wish you’d known earlier
- 20 essential open-source cybersecurity tools that save you time