Report sheds light on main open-source security risks

TechRepublic reports that known vulnerabilities, legitimate package compromise, and name confusion attacks have been cited as the three main security risks facing open-source software this year. Threat actors could leverage known flaws within downstream software and facilitate data compromise while legitimate packages could be infiltrated to allow malicious code injection, a report from Endor Labs revealed. On the other hand, name confusion attacks could be conducted through typo-squatting, combo-squatting, and brand-jacking in an effort to lure users into downloading malicious components purporting to be legitimate software. Other key open-source security risks include unmaintained software, outdated software, untracked dependencies, license and regulatory gaps, unapproved component changes, immature software, and under/oversized dependencies, the report showed. "Open-source software represents a goldmine for application developers, but it needs security capabilities that are equally effective. In an environment where more than 80% of the code in new applications can come from existing repositories, it is clear there are serious risks Involved," said Endor Labs Lead Security Researcher Henrik Plate.