Open Source Reduces Security Risks

Open Source has completely transformed the way the security industry operates in the 2020s, via a collective, collaborative approach whereby many “eyes” are working together to spot vulnerabilities and release fixes.

Currently more than 80 percent of codebases contain at least one known open source vulnerability, a nearly 4 percent increase relative to last year, says Synopsys’s recently released Open Source Security and Risk Analysis Report (OSSRA), which examines vulnerabilities and license conflicts found in roughly 1,700 codebases across 17 industries.

Open Source Software (OSS) is critical to security operations in modern businesses, and enterprises increasingly build, support, and use OSS tools and technology. As Open Source codebases are now the norm, dependency confusion and misconceptions on the process increasingly benefit cyber thieves.

“New” does not automatically mean “secure” in OSS, according to a recent Ender Labs study, which reported that upgrading to the latest version of a package still carries 32% chance of known vulnerabilities. Nowhere is the consequence of these vulnerabilities more evident than when attacks began showing up within the global supply chain in 2020.

SolarWinds and Log4j

New does not mean secure. When upgrading to the latest version of a package, there’s still a 32% chance it will have known vulnerabilities that are “transitive dependencies,” which are open source code packages that are indirectly and automatically pulled into projects, rather than explicitly selected by developers. This became evident with the SolarWinds breach in 2020, and with other attacks like Log4j that followed.

Log4j also highlighted another issue within the software supply chain and woke many developers up to how dependent they are on OSS. Even so, an estimated 29 percent of downloads of Log4j are still of vulnerable versions.

Software Tools

The Open Source Security Index was launched in December 2022, and is a handy tool for developers to know what is top of mind and activity in security projects on GitHub. The index lists the top 100 most popular and fastest-growing security projects on GitHub.

Security projects listed on GitHub are based on a combination of factors, including the number of stars the project has collected, as well as various growth signals, such as number of commits to the project in the last 12 months, the number of contributors to the project, etc. The Index provides a simple up-to-date list of the top open source APIs focused on security.

It’s currently estimated that around 90% of organizations use open source software, according to GitHub’s 2022 Octoverse report. Popular security projects are written in Python (55%), JavaScript (31.6%), Go (25.3%), C (17.7%) and Ruby (12.7%). The index tracks direct security tools,” so you won’t find projects such as Terraform or Elastic in these rankings.

A recent interview at Dark Reading noted that “attack and red-team open source tools remain popular,” that security breaches aimed at modern infrastructure is gaining popularity, and that “automation and ‘as-code’ workflow utilities” are increasingly integrated into security strategies and approaches.

Two security-focused investors — Chenxi Wang of Rain Capital, and Andrew Smyth of Atlantic Bridge — have focused on developing tools to guage the ecosystem and growth around the technologies and companies that they are investing in and working alongside.