A recent report has disclosed that there has been a tremendous growth of 633% (year-over-year) in cyber-attacks on open-source repositories. This sharp rise goes viz-a-viz with the trend of a boom in the adoption of open-source repos among enterprises.
Recent findings
New research by Sonatype suggests that the massive use of open-source repos have invited the risks of being targeted by cyber adversaries.
The top downloaded open-source ecosystems are Java (Maven), JavaScript (npm), Python (PyPI), and .NET (NuGet). The overall download volume of these four ecosystems is projected to top 3 trillion downloads in the future.
The report states that 1.2 billion vulnerable Java dependencies are still getting downloaded each month, while the new and patched versions are getting ignored by the users.
About 6 out of every 7 project vulnerabilities come from transitive dependencies, and about 96% known-vulnerable open-source downloads are avoidable.
The landscape of open-source threats
The popularity and growth of open-source repos have security ramifications as well.
Known attacks against open-source repositories have increased by 633% year-over-year. Moreover, since 2019, there has been an annual, overall increase of 742% in such attacks.
Recent exploitations of the open-source ecosystem, from Log4j to crypto heists tied to open-source repositories, have further highlighted the general risks of software supply chain security.
Moreover, rising cyberattacks against popular enterprise products such as Apache HTTP Server and others highlight the growing danger of open-source software in enterprises.
Security tips
Organizations using open-source software should prioritize the security of their software development process to deal with the potential risk of using outdated and vulnerable systems. Organizations must employ a rigorous evaluation and testing process on their own. Furthermore, open-source developers should follow best practices to better secure their code.