Open source software (OSS) is increasingly popular for software development due to its low cost and availability. However, it comes with risks that are not always apparent, such as known vulnerabilities and compromise of legitimate packages. To help developers stay aware of the top OSS risks, Endor Labs has created a report on the Top Ten Open Source Software Risks. This report, inspired by the OWASP Top Ten, lists the ten most important risks (security and/or ops) in order of severity and provides a description, examples, remediation and further reference sources.
The number one risk listed is “known vulnerabilities”, where vulnerable code can be introduced accidentally by developers and exploited quickly after public disclosure. Other risks include name confusion attacks, unmaintained and outdated software, untracked dependencies, license and regulatory risks, immature software, unapproved changes, and under- or over-sized dependencies. The fragility of the OSS ecosphere is also highlighted, with the sustainability of its contributors being linked to the sustainability of geopolitics.
The report is essential for application developers, as it can help them focus on the risks involved in employing open source software and help them pivot toward using the SBOM as the indisputable source of truth for their risk analysis. It is hoped that the report will be updated at least every year as the individual risks change or are replaced in severity by new risks.
Key Points:
- Endor Labs has created a report on the Top Ten Open Source Software Risks to help developers stay aware of the potential risks of using OSS.
- The report is inspired by the OWASP Top Ten and lists the ten most important risks (security and/or ops) in order of severity.
- The number one risk is “known vulnerabilities”, with 56% of CVE vulnerabilities being exploited within seven days of public disclosure.
- Other risks include name confusion attacks, unmaintained and outdated software, untracked dependencies, license and regulatory risks, immature software, unapproved changes, and under- or over-sized dependencies.
- The fragility of the OSS ecosphere is also highlighted, with the sustainability of its contributors being linked to the sustainability of geopolitics.
- The report is essential for application developers, as it can help them focus on the risks involved in employing open source software.
- It is hoped that the report will be updated at least every year as the individual risks change or are replaced in severity by new risks.
