The latest paper from Station 9 provides a thorough review of the difficulties associated with the use of open source software and shows how standard approaches to vulnerability mitigation need to be examined much more carefully.
The State Of Dependency Management, a report from Endor Labs, a start-up committed to securing open source software reuse in application development, provides insight into the pervasive but frequently unmonitored use of existing open source software in application development and the risks associated with this practise.
For instance, according to the report, 95% of all vulnerabilities are discovered in open source code packages with transitive dependencies that are not explicitly chosen by developers but instead unintentionally incorporated into projects. This is the first report from Station 9, a research platform created by Endor Labs that gathers experts from many fields throughout the world.
The issue isn’t simply the broad use of open source code in new apps; rather, it’s the fact that developers only choose a small sample of these software requirements. The remaining dependencies are transitive or indirect ones that the codebase automatically incorporated. This creates the conditions for important, possible vulnerabilities that could have an equal impact on development and security.
The investigation’s findings include the following:
It is true that transitive dependencies contain 95% of all vulnerabilities, making it very challenging for engineers to determine the full severity of these problems or even whether they are even solvable. A comparison of the two most well-liked community projects to find important tasks. OpenSSF Criticality Scores and Census II demonstrates that establishing criticality is not an easy task. Organizations must choose for themselves which open source projects are critical because 75% of the packages in Census II have a Criticality Score of less than 0.64. Recent supply chain attacks have benefited greatly from dependency confusion, yet these attacks are often undetectable by the risk indicators covered by widely adopted efforts.