Open-source products up software supply chain risks

Widely used open-source projects have increased odds of causing software supply chain attacks, with 82% of components across the 44 most popular Apache Software Foundation projects exhibiting "extremely high inherent risk," reports SiliconAngle. Patches were unavailable for 64% of identified open-source vulnerabilities and 26% other flaws could not be remediated by the organizations behind the open-source software, according to a Lineaje report. Moreover, only nearly 10% of organizations' vulnerability exposure could be addressed with complete patching. The findings also showed that nearly 3% of all components had an unknown origin while a little more than 5% did not pass basic integrity checks. "It's imperative that organizations today understand that open-source software has risks and is tamper-able, even if it is very popular or provided by an established brand. With more software being assembled than built, it's become more important than ever to have formal tools to discover software DNA," said Lineaje co-founder and CEO Javed Hasan.