As businesses become increasingly reliant on free and open source (FOSS) software, unnecessary risks to their security posture are being taken.
That’s according to the latest report (opens in new tab) from software supply chain security firm Sonatype, which paints a dire picture of the types of open-source software that businesses are relying on, perhaps as a means to cut software costs.
As per the company’s State of the Software Supply Chain Report, now in its eighth year, developers download 1.2 billion vulnerable dependencies every month, and of that number, 96% have had a non-vulnerable alternative.
A surge in OSS supply chain attacks
Attacking open-source repositories that are later downloaded and integrated into corporate software is a clear example of a supply chain cyberattack.
With some 1,500 dependency changes per application every year, maintaining open-source ecosystems puts a great deal of pressure on developers, and mistakes are always going to be made.
Perhaps as a result, Sonatype is reporting that this type of cyberactivity has seen a massive surge, increasing by 633% year-on-year.
However, it believes there’s a solution: primarily, minimizing dependencies and speeding up software updates on endpoints. It also recommends raising awareness of vulnerable FOSS dependencies among engineering professionals.
Sonatype found that over two-thirds (68%) were confident their apps weren’t using vulnerable libraries, despite that fact that the same percentage of enterprise apps – 68% – were found to contain known vulnerabilities in their open-source software components.
What’s more, IT managers were over twice as likely to believe that their firms address software issues regularly during the development stage than their IT security peers.
For Sonatype, businesses need to simplify and optimize the software development process with smarter tools and more visibility, and better automation.
Supply chain attacks have been some of the most devastating cyber-incidents ever in recent years, including incidents based on the log4j vulnerability, and the SolarWinds compromise. Even today, cybercriminals are compromising organizations of all shapes and sizes using the log4j flaw.
Via VentureBeat (opens in new tab).