InfoSecBulletin Cybersecurity for mankind
Today, software supply chain security management company Lineaje, released a new report titled “What’s in Your Open-Source Software?” that found 82% of open-source software components are “inherently risky” due to a mix of vulnerabilities, security issues, code quality or maintainability concerns.
The report highlighted that while more than 70% of software in the enterprise is open source, these elements often aren’t tracked, maintained, updated or inventoried, leaving serious vulnerabilities in the software supply chain for threat actors to exploit.
Ransomware Activities this week: Threatmon report
ALERT
CISA Releases Four Industrial Control Systems Advisories
Microsoft May 2024 Patch Tuesday fixes 61 flaws 2 zero-days
Newly circulated reserve theft is false: Bangladesh Bank
Bangladesh bank published CBS guideline Version 2.0
Fortinet report
Attackers exploiting vulnerabilities 50% faster, just 4.76 days
TechCrunch report
Indian gov.t sites compromised to plant online betting ads
Damage Costs Predicted To Exceed $265 Billion By 2031
Ransomware expected to attack every 2 seconds by 2031
ALERT CISA WARNS
Black Basta ransomware breached over 500 orgs worldwide
Cyber Attack On Data Center Cooling Systems results disruption
This comes less than a week after CISA called for software vendors to take action to implement “secure-by-design” development processes to ship code that’s secure “out of the box.”
Lineaje also found significant risk among widely-used open-source solutions, analyzing the top 44 popular projects of the Apache Software Foundation and discovering that 68% of dependencies are from non-Apache Software Foundation open-source projects, many with opaque origin and update mechanisms.
“It’s imperative that organizations today understand that open-source software has risks and is tamperable, even if it is very popular or provided by an established brand,” said Javed Hasan, CEO and cofounder of Lineaje.
“With more software being assembled than built, it’s become more important than ever to have formal tools to discover software DNA. Developers do not have X-ray vision to see inside a software component they include nor are most open-source selectors security experts,” Hasan said.
Given that 64% of all vulnerabilities have no fixes available yet, and can’t be patched, the report echoes CISA’s call for organizations to be more proactive about managing open-source risk. It also recommends that organizations deploy supply chain management tools that have the ability to assess the dynamic inherent risk and integrity of individual dependencies and projects.
