Security News > 2022 > December > Open source code for commercial software applications is ubiquitous, but so is the risk

The weakness was just one recent example of a backdoor in open source software for attackers to sneak malicious code onto developer and end-user systems.

If experts identify the software supply as a key security challenge for 2023, the Log4j phenomenon - not to mention the much-better known SolarWinds incursion in 2019 - shed light on how protecting the process could be difficult: A vast amount of commercial software is not written in-house.

Badhwar said 80% to 90% of code in a typical modern application is "Code we don't write, it's code we borrow, and we really don't know who we are borrowing it from. Attackers have figured this out; open source software is going to be foundational for the software supply chain security, so we need to better educate the market on the issues."

The bill urged CISA to "Publicly publish a framework, incorporating government, industry, and open source software community frameworks and best practices, for assessing the risk of open source software components." No progress has been made on the bill since its introduction.

To do this, they explored criticality scores from the two most popular community initiatives to identify critical projects: the Linux Foundation-supported "Census II of Free and Open Source Software - Application Libraries" and the Open Source Security Foundation's Criticality Score project.

"Ultimately, the development organizations remain accountable for the commercial software services and products they sell, so those are other reasons this cannot just be outsourced to the open source community."

News URL

https://www.techrepublic.com/article/open-source-code-software-risk/