DevSecOps, Cloud Security, Vulnerability Management

Report sheds light on main open-source security risks

TechRepublic reports that known vulnerabilities, legitimate package compromise, and name confusion attacks have been cited as the three main security risks facing open-source software this year. Threat actors could leverage known flaws within downstream software and facilitate data compromise while legitimate packages could be infiltrated to allow malicious code injection, a report from Endor Labs revealed. On the other hand, name confusion attacks could be conducted through typo-squatting, combo-squatting, and brand-jacking in an effort to lure users into downloading malicious components purporting to be legitimate software. Other key open-source security risks include unmaintained software, outdated software, untracked dependencies, license and regulatory gaps, unapproved component changes, immature software, and under/oversized dependencies, the report showed. "Open-source software represents a goldmine for application developers, but it needs security capabilities that are equally effective. In an environment where more than 80% of the code in new applications can come from existing repositories, it is clear there are serious risks Involved," said Endor Labs Lead Security Researcher Henrik Plate.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.