The software supply chain is becoming the new battleground. Trust, once a cornerstone of open-source, is now under scrutiny. Developers need to exercise caution, vetting each package, no matter how reputable the source might seem.
Software supply chain attacks have spiked significantly year-over-year. Sonatype logged over 245,032 malicious packages in open source projects available to public download in 2023, double the number seen from 2019 to 2022. In total, one in eight open source downloads poses a risk.
A very commonly used VoIP telephony system has been compromised via trojans snuck in through an open source component, and the supply chain attack puts over half a million global businesses at risk.
The fallout from the Log4j vulnerability has prompted bipartisan action to beef up open source software security. Proposed act would task CISA with developing a risk framework to evaluate open source code used by the federal government, and could be passed on to critical infrastructure businesses.
Some security experts worry that open source Twitter code would thus not be tremendously helpful in revealing how the system selects content, but would create avenues of attack for threat actors that could now scrutinize its internal workings.
An open source project maintainer decided to protest the war in Ukraine by targeting computers with an IP address in Russia or Belarus with a malicious update in a controversial act of hacktivism.
Thousands of companies using popular NPM libraries have just learned that the hidden price of free software is that the open source developer may withdraw their consent at any time.
To meet the ever-increasing challenge of cybercrime and rebuild user trust, tech companies will need to be built with a new standard that embraces a transparent and open source approach.
Open source software components are useful for software development yet vulnerable to attacks due to its openness. What are some of the best security practices in managing them?