A version of this article first appeared in Devops Digest.
Open-source software — code that’s publicly accessible for anyone to view, use, and modify — has become a vital component in the applications produced or used at most companies. Notably, even enterprise software giants that built profitable businesses on proprietary code in the 20th century have become supporters of, and contributors to, open-source projects over the past 20 years.
According to the Black Duck® 2024 Open Source Security and Risk Analysis (OSSRA) report, 96% of 1,000 audited code bases contained open-source code, with open-source expected to grow nearly 20% annually over the next decade.
But since open-source code is developed by communities or individual contributors outside of the organization deploying it in applications, there can be a greater risk of hidden vulnerabilities or gaps in security than would be found in code developed from scratch or based on commercial platforms. This means an additional level of caution is required in securing key business applications.
Unlike commercial software backed by corporate support, open-source code can originate from diverse contributors, including developers and active open-source communities. This complexity makes line-by-line analysis challenging, increasing the likelihood of vulnerabilities slipping through the cracks. Furthermore, many libraries are stored in public repositories where malicious actors can inject harmful code. The Black Duck report found that 74% of audited code bases had high-risk vulnerabilities.
Patching, updates and security notifications, standard in commercial software, are often neglected in the open-source world. Additionally, the lack of a Software Bill of Materials (SBOM), formal records containing the details and supply-chain relationships of the components of the code, complicates supply chain risk management, making it easier to miss where a vulnerability has crept into code being used.
Recent incidents illustrate these dangers. In April 2024, malicious code discovered in XZ Utils, a set of open-source developer tools, revealed years of efforts by attackers to gain remote access to Linux systems. A software engineer uncovered the code and in so doing helped avert a potential large-scale breach, but the situation highlighted how dependent open-source projects are on the volunteer efforts of individuals to remain secure, rather than on teams of professionals devoted to the issue. Another significant threat emerged with the Log4Shell vulnerability in November 2021, which affected millions of online services and was likely exploited before it was identified.
Such incidents underscore the need for robust security practices to help safeguard against potential losses.
These incidents emphasize the need for consumers of open-source software to prioritize cybersecurity. Developers, focused on the creation, usability and effectiveness of their software, aren’t necessarily focused on security. So, businesses must implement concrete standards for evaluating software before incorporating it into their applications, including the software’s lineage, known vulnerabilities and whether those have been addressed.
Companies using open-source software should also discuss cyber insurance solutions with their insurance professional. Many insurers offer not only broad coverage that is designed to mitigate cyber exposures but also proactive risk management services, such as threat monitoring and on-demand support to help assess cyber risks and protect IT environments, even sending alerts when threats arise. Knowing how to manage these risks is crucial to the long-term success and safety of integrating open-source tools into your workflows.