The usage of open source software (OSS) in software development is on the rise because of its cost-effectiveness and accessibility. Nonetheless, it brings along unforeseen dangers, including known vulnerabilities and the exploitation of legitimate packages. In an effort to keep developers informed about the key risks associated with OSS, Endor Labs has developed a document highlighting the Top Ten Open Source Software Risks. Drawing inspiration from the OWASP Top Ten, this report ranks the ten most critical risks (security and/or operational) in terms of seriousness, and includes a description, examples, remediation suggestions, and additional sources for reference.
The number one risk listed is “known vulnerabilities”, where vulnerable code can be introduced accidentally by developers and exploited quickly after public disclosure. Other risks include name confusion attacks, unmaintained and outdated software, untracked dependencies, license and regulatory risks, immature software, unapproved changes, and under- or over-sized dependencies. The fragility of the OSS ecosphere is also highlighted, with the sustainability of its contributors being linked to the sustainability of geopolitics.
The report is essential for application developers, as it can help them focus on the risks involved in employing open source software and help them pivot toward using the SBOM as the indisputable source of truth for their risk analysis. It is hoped that the report will be updated at least every year as the individual risks change or are replaced in severity by new risks.
Key Points:
- Endor Labs has created a report on the Top Ten Open Source Software Risks to help developers stay aware of the potential risks of using OSS.
- The report is inspired by the OWASP Top Ten and lists the ten most important risks (security and/or ops) in order of severity.
- The number one risk is “known vulnerabilities”, with 56% of CVE vulnerabilities being exploited within seven days of public disclosure.
- Other risks include name confusion attacks, unmaintained and outdated software, untracked dependencies, license and regulatory risks, immature software, unapproved changes, and under- or over-sized dependencies.
- The fragility of the OSS ecosphere is also highlighted, with the sustainability of its contributors being linked to the sustainability of geopolitics.
- The report is essential for application developers, as it can help them focus on the risks involved in employing open source software.
- It is hoped that the report will be updated at least every year as the individual risks change or are replaced in severity by new risks.