Security News > 2023 > April > The double-edged sword of open-source software

The lack of visibility into the software supply chain creates an unsustainable cycle of discovering vulnerabilities and weaknesses in software and IT systems, overwhelming organizations, according to Lineaje.

The analysis revealed that 68% of dependencies are on non-Apache Software Foundation open-source projects.

"It's fascinating to note that although Apache is a large contributor to open-source software, a good portion of the software it relies on is non-Apache Software Foundation. This highlights the incredible diversity and complexity of the open-source community," said Manish Gaur, Head of Product Security at VMware after reviewing the research report.

At the same time, due to the deep transitive nature of dependencies, another 25.8% of all vulnerabilities are not patchable by the organization deploying or including open-source software.

The ability to detect tampering of the software supply chain is directly linked to software integrity.

"With more software being assembled than built, it's become more important than ever to have formal tools to discover software DNA. Developers do not have X-ray vision to see inside a software component they include nor are most open-source selectors security experts. We must use software supply chain management tools like SBOM360 to continuously assess the dynamic, inherent risk and integrity of these software components that are built left of shift-left," concluded Hasan.

News URL

https://www.helpnetsecurity.com/2023/04/25/open-source-dependencies/