Organizations of all types run their operations on open-source software (OSS), but without widespread cybersecurity standards, bad actors can exploit vulnerabilities. A new report from supply-chain software management company Lineaje has found that up to 82% of open-source software components are “inherently risky.” Various vulnerabilities, security problems, maintenance issues, and questionable code quality are among the most common concerns, according to the report, titled “What’s in Your Open-Source Software?” Although more than 70% of software used by the supply-chain enterprise industry is open source, these weaknesses are not typically tracked or updated, leaving companies at risk of cyberattacks.
Lineaje’s report focuses on 44 of the most popular open-source software projects from the Apache Software Foundation (ASF), finding that 68% of dependencies fall outside this selection, including many programs with unclear origins. The report also found that 64% of all vulnerabilities don’t have solutions and can’t yet be repaired. Because of this exposure, organizations must recognize that these vulnerabilities exist in many of their favorite open-source solutions, according to Javed Hasan, CEO and Co-Founder of Lineaje.
The report comes soon after the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released new guidelines for organizations to implement “secure-by-design” strategies in software development. Without adherence to CISA’s recommendations, open-source solutions will remain in danger of unforeseen cyberattacks.