Open Source Software is a fundamental building block in any modern technology. It has been adopted and is widely used in all fields of modern technology. Open Source Software can be found in cars, cell phones, medical devices, smart TVs, and practically any commercial software written in the past decade.
Open Source Software is constantly on the rise; today, the average commercial software comprises over 70% Open Source components.
For some Open Source libraries, the average weekly download rate is in the millions.
But, who is responsible for the Open Source security in your product? There is no Open Source Ltd. to answer complaints.
The plain and simple answer is – YOU!. You are responsible for all Open Source components in your product, whether you chose them knowingly, got them as dependencies, or from other third-party commercial software. You need a complete list of Open Source components and constantly monitor for known vulnerabilities.
In the past few years, the usage of Open Source in commercial software has doubled, but only now is awareness starting to cache up.
With the rising use of Open Source, the known vulnerabilities have also doubled in 2019 and again in 2020.
Information about known vulnerabilities is available on the NVD site (National Vulnerability Database); it is published and known to all, including hackers who can take advantage of these software vulnerabilities.
Managing cybersecurity risks and managing Open Source risks are two very different and complementary practices. Having an alarm system is no reason to leave the front door open.
Today no software codebase is 100% homegrown; on the contrary, 99% of the modern codebase has Open Source components.
You need to adequately manage Open Source aspects in the software supply chain to have proper visibility of Open Source known vulnerabilities that may put the organization at risk.
ISO standards like 27001, including its extensions, deal with a wide range of cyber risks. But these standards were written in 2013 when the percentage of open source use was less than half of what it is today, and probably this is why they do not explicitly address Open Source cybersecurity risks.
In 1786 Thomas Reid coined the phrase “a chain is no stronger than its weakest link.”.
If you do not manage Open Source vulnerabilities, Open Source is your weakest link!
How weak is this link?
According to a Sonatype survey, 21% of enterprises experienced a breach in 2020 due to Open Source Software. It is safe to assume that most of these enterprises had taken extensive cybersecurity measurements.
99% of modern software has Open Source components in an average of over 70%. In 2020 alone, 9,658 new Open Source vulnerabilities were identified. Disregarding Open Source known vulnerabilities in the software supply chain is no longer a viable option!