Open source software repositories have been subjected to a 633% year-over-year increase in cyber-attacks, according to researchers. Also, there has been an annual, overall increase of 742% since 2019.
What was found?
Throughout the software development lifecycle, organizations rely on open source components, libraries, frameworks, and entire platforms. These components are the lynchpins for communication, software capabilities, security, and user interactions.
On the flip side, the contributors are volunteers, and this can give rise to dangerous open source software security risks. IT teams may be unaware of the open source software security risks they face and may easily miss patch alerts and upgrades that have an impact on their business.
After analyzing data from public and proprietary sources, the software supply chain security firm said that the popularity and growth of open source software repositories continues to climb.
The four main ecosystems—Java, JavaScript, Python, and.NET—are set to go beyond three trillion downloads in the near future.
Technical debt
The amount of third-party code flowing through software supply chains occurs on a massive scale. Yet published code accrues technical debt over time, creating the potential for compounded open source software security vulnerabilities if not kept up-to-date.
Researchers state that around 1.2 billion Java open source software vulnerabilities are downloaded each month while new, patched, or improved versions are ignored.
Risky business
Developers tasked with managing dependencies face more complexity in their roles than ever. An average Java application contains 148 dependencies, which is 20 more than 2021’s average, and undergoes an average of ten updates a year.
Each dependency could contain open source software security vulnerabilities, so developers must track potentially several changes per year, per app, and hence mistakes are likely to be made.
It is, therefore, critical that education on the potential risk of outdated, vulnerable open source software security risks is understood, and security teams should consider adopting security automation and orchestration tools to lighten the load.