Today, software supply chain security management company Lineaje, released a new report titled “What’s in Your Open-Source Software?” that found 82% of open-source software components are “inherently risky” due to a mix of vulnerabilities, security issues, code quality or maintainability concerns.
The report highlighted that while more than 70% of software in the enterprise is open source, these elements often aren’t tracked, maintained, updated or inventoried, leaving serious vulnerabilities in the software supply chain for threat actors to exploit.
By infosecbulletin
/ Tuesday , September 10 2024
Researchers at Fortinet unveiled hackers to exploit GeoServer RCE vulnerability deploying malware relating to the vulnerability tracked as “CVE-2024-36401, has...
Read More
By infosecbulletin
/ Monday , September 9 2024
Multiple vulnerabilities have been published by IBM in its webMethods Integration Server which cloud allow attackers to execute arbitrary commands...
Read More
By infosecbulletin
/ Sunday , September 8 2024
Progress Software released an emergency fix for a critical vulnerability (10/10) in its Loadmaster and LoadMaster Multi-Tenant Hypervisor products, which...
Read More
By infosecbulletin
/ Thursday , September 5 2024
CISCO released security updates for two critical security flaws impacting its smart Licensing Utility that could allow unauthenticated, remote attackers...
Read More
By infosecbulletin
/ Wednesday , September 4 2024
OpenBAS is a platform that helps organizations to plan, schedule, and conduct crisis exercises, adversary simulations, and breach simulations. OpenBAS...
Read More
By infosecbulletin
/ Wednesday , September 4 2024
Zyxel has released software updates to fix a serious security issue in certain access point (AP) and security router versions....
Read More
By infosecbulletin
/ Tuesday , September 3 2024
VMware released a security advisory for a major vulnerability in the VMware Fusion product. This vulnerability could be exploited by...
Read More
By infosecbulletin
/ Tuesday , September 3 2024
Indian Computer Emergency Response Team (CERT-IN) issued advisories about multiple vulnerabilities in various Palo Alto Networks applications. Attackers could exploit...
Read More
By infosecbulletin
/ Tuesday , September 3 2024
Malaysia is quickly becoming a leading choice for investing in data centers. It aims to generate RM3.6 billion (US$781 million)...
Read More
By infosecbulletin
/ Tuesday , September 3 2024
US authorities have issued a cybersecurity advisory about a ransomware group called RansomHub. The group is thought to have stolen data...
Read More
This comes less than a week after CISA called for software vendors to take action to implement “secure-by-design” development processes to ship code that’s secure “out of the box.”
Lineaje also found significant risk among widely-used open-source solutions, analyzing the top 44 popular projects of the Apache Software Foundation and discovering that 68% of dependencies are from non-Apache Software Foundation open-source projects, many with opaque origin and update mechanisms.
“It’s imperative that organizations today understand that open-source software has risks and is tamperable, even if it is very popular or provided by an established brand,” said Javed Hasan, CEO and cofounder of Lineaje.
“With more software being assembled than built, it’s become more important than ever to have formal tools to discover software DNA. Developers do not have X-ray vision to see inside a software component they include nor are most open-source selectors security experts,” Hasan said.
Given that 64% of all vulnerabilities have no fixes available yet, and can’t be patched, the report echoes CISA’s call for organizations to be more proactive about managing open-source risk. It also recommends that organizations deploy supply chain management tools that have the ability to assess the dynamic inherent risk and integrity of individual dependencies and projects.