Open source software has eaten the world, but last month’s Log4Shell vulnerability chaos highlights the potential dangers when enterprises don’t treat it with the respect it deserves.
The danger is two-fold. First, the software supply chain is full of known vulnerabilities that companies aren’t patching. And, second, attackers have also begun exploiting the lack of attention paid to software project security to deliberately add backdoors and other malicious components.
Open source is everywhere, and it’s all vulnerable
According to Synopsys’ 2021 open source security and risk analysis report, 98 percent of enterprise software projects, both internal and commercial, contain some open source code.
And it wasn’t just the occasional code fragment or library, either. For an average application, 75% of the codebase was open source, the report said.
“The pace of technology development these days is only possible because we have great quantities of open-source software at our disposal,” said Nicko van Someren, CTO at Absolute Software. “This lets us build bigger, better products much faster than if we needed to write every line of code ourselves.”