A recent report by Lineaje, a software supply chain security company, has found that 82% of open-source software components are inherently risky due to vulnerabilities, security issues, code quality or maintainability issues. This means that even though more than 70% of the software used by organizations is open-source, these components often lack tracking, maintenance, updates, and inventory, leaving them prone to exploitation. This news comes shortly after a warning from CISA (Cybersecurity and Infrastructure Security Agency) to software companies to follow secure-by-design processes and ship secure software.
Lineaje also investigated a set of top 44 popular projects from the Apache Software Foundation and found that 68% of the dependencies were from third-party open source projects, many of them with an unknown origin and insecure update mechanisms. It is clear that software today is mostly assembled instead of built, so organizations must be proactive about open-source security risk management. Moreover, 64% of all vulnerabilities have no fixes available, thus making it even more important for businesses to apply secure software supply chain practices.
These findings are echoed by Javed Hasan, CEO and co-founder of Lineaje. He stresses that even popular and well-known open source software can have malicious tampering, and it is important for software developers to have tools to establish the origin and legitimacy of their code. Ultimately, everyone benefits when organizations take a proactive approach to software security management and invest in code governance and supply chain tools.
Lineaje is a software security and risk management company that focuses on helping organizations analyze, optimize, and protect their software supply chains. Founded in 2016, the company has helped many organizations across various industries to secure and track their software components for a secure-by-design approach. Lineaje’s products are environment agnostic and help businesses (large and small) to gain visibility into their worldwide software supply chain.
