Known vulnerabilities, compromise of legitimate package, and name confusion attacks are expected to be among the top ten open source software risks in 2023, according to a report by Endor Labs.
The other major open source software risks, according to the report, include unmaintained software, outdated software, untracked dependencies, license risk, immature software, unapproved changes, and under/oversized dependency.
Almost 80% of code in modern applications is code that relies on open source packages. While open source software is the bedrock of modern software development, it is also the weakest link in the software supply chain, Endor Labs said in its report.
Since open source software comes as-is, without warranties of any kind, any risk of using it is solely on the users. This makes selection, security, and maintenance of these open source dependencies crucial steps towards software supply chain security, the report said.
The Endor Labs report covers both operational and security issues associated with open source components that can lead to compromise of systems, enable data breaches, undermine compliance, and hamper availability. The report features contributions from 20 industry experts, including CISOs from HashiCorp, Adobe, Palo Alto Networks, and Discord.
Top three open source security risks
Known vulnerability, according to the report, is the top risk associated with open source software. This risk occurs when a component version contains vulnerable code, accidentally introduced by its developers. If a known vulnerability is exploited by a threat actor, it could compromise the confidentiality, integrity or availability of the respective system or its data, the Endor Labs report said.
CVE-2017-5638 in Apache Struts that caused the Equifax data breach, and CVE-2021-44228 in Apache Log4j also known as Log4Shell are examples of known vulnerabilities.
To avoid the risk of known vulnerabilities, Endor Labs suggests that regular scan of open source software should be conducted and organizations should prioritize findings to optimize resource allocation.
Compromise of legitimate package is the second biggest risk that open source software contain. Attackers may compromise resources that are part of an existing legitimate project or of the distribution infrastructure to inject malicious code into a component. For example, hijacking the accounts of legitimate project maintainers or exploiting vulnerabilities in package repositories. The SolarWinds cyberattack was a result of a compromise of a legitimate package.
The third biggest open source software risk is name confusion attacks, in which an attacker creates components whose names resemble names of legitimate open source or system components (typosquatting), suggest trustworthy authors (brandjacking) or play with common naming patterns in different languages or ecosystems.
To avoid this risk, organizations need to check code characteristics both before and after installation hooks, check the project characteristics such as source code repository, maintainer accounts, release frequency, number of downstream users, etc, the report said. An example of this risk is the Colourama attack, which was a typosquatting attack on the legitimate python package called “Colorama” that redirected Bitcoin transfers to an attacker-controlled wallet.
Top three operational risks
Along with the top security risks that the open source software contain, the Endor Labs report also analysed the top operational risks that they can pose.
Unmaintained software or when a component or component version is not actively developed anymore leading to patches for functional and security bugs not being available is the top operational risk that open source software pose, according to the report.
In this case, the patch development will have to be done by downstream developers, resulting in increased efforts and longer resolution times. During that time, the system remains exposed.
Outdated software — not to be confused with unmaintained software — is another big risk for open source software. This refers to a project that may be using an old, outdated version of a component, even though newer versions exist.
If the version of a component used is far behind the latest releases of a dependency, it can make it difficult to perform timely updates in emergency situations. Older version of a component may also not receive the same level of security assessment as recent versions.
“If a new version is syntactically or semantically incompatible with the current version in use, application developers may require significant update or migration efforts to resolve the incompatibility,” the report said.
The third biggest operational risk with open source software is untracked dependencies. This occurs when the project developers are not aware of a dependency on a component at all, either because it is not part of an upstream component’s software bill of material, or because software component analysis (SCA) tools do not detect it, or because the dependency is not established using a package manager.
Developers must evaluate and compare SCA tools for their capability to produce accurate bills of materials, the report said.
Risks associated with open source software increasing
As the use of open source is increasing over the years, the risk it poses is also being highlighted by other cybersecurity firms. At least one known open source vulnerability was detected in 84% of all commercial and proprietary code bases examined by researchers at application security company Synopsys.
In addition, 48% of all code bases analysed by Synopsys researchers contained high-risk vulnerabilities, which are those that have been actively exploited, already have documented proof-of-concept exploits, or are classified as remote code execution vulnerabilities.