82 percent of open source software components are inherently risky
Recent supply chain attacks such as SolarWinds, Log4j and 3CX have highlighted the need to protect the software supply chain as well as the potential consequences of failing to properly assess the integrity of software.
A new report from software supply chain security management company Lineaje looks at the composition of open-source software and assesses the risks associated with its usage.
It finds that 82 percent of all open-source software components are inherently risky with significant risks due to vulnerabilities, security issues, code quality or maintainability concerns. These risks, however, are not evenly distributed, underlining the importance of assessing open-source dependencies continuously given that risks evolve across versions. The popularity of a piece of software is not linked to its risk either -- so choosing dependencies based on their popularity is not a risk mitigation approach.
Visible, direct dependencies only account for 10 percent of all dependencies that an open-source component pulls in while 90 percent are transitive. In addition, 68 percent of dependencies in open-source software are from other open-source projects, which in turn pull in more open-source projects.
The research also analyzes the provenance of each component and finds that while about 68 percent of components are fully attestable, the rest are not. The ability to detect tampering of the software supply chain is directly linked to attestability of integrity. In fact, the recently reported 3CX attacks, which stemmed from an open-source library compromise, would have been detected with a deep integrity check.
While the majority of software assessed had known components, three percent showed unknown components with 5.3 percent being written by an undisclosed author. It finds too that 90 percent of software revealed vulnerabilities that are 'unpatchable' by developers that include an open-source dependency. They can only be patched or fixed by developers of dependent projects.
"It's imperative that organizations today understand that not all open-source software is vetted and tamper-proof, even if it is accessible via the most accredited and highly acknowledged repository. As we've seen time and time again, open-source remains a frequent point of entry for adversaries," says Lineaje CEO and co-founder Javed Hasan. "With more software being assembled than built, it's become more important than ever to have formal tools and processes to understand software DNA. Developers do not have Xray vision to see inside a software component they include and most who make the selection of open-source dependencies are not security experts. As an industry, it's our obligation to assess the quality and security of these software components that are built left of shift-left."
Analysis of 44 projects, including 41,989 components and 26 million lines of code, from the Apache Software Foundation (ASF) and its direct and transitively dependent open-source components, finds 16,489 critical vulnerability instances noted as not having available fixes, and over 40 percent of all components being deemed 'critically risky'.
Echoing the broader analysis of open-source software, 90 percent of Apache software has issues that are 'unpatchable' by ASF members and committers.
You can get the full report on the Lineaje site.