In episode 61 of the Cybersecurity Minute, Chris Hughes takes a look at Endor Labs’ recently released list of the top 10 open-source software risks.
This episode is sponsored by Acceleration Economy’s Digital CIO Summit, taking place April 4-6. Register for the free event here. Tune in to the event to hear from CIO practitioners discuss their modernization and growth strategies.
00:33 — Endor Labs is a software supply chain company on the Acceleration Economy Cybersecurity Top 10 Short List. Endor’s report is on the top 10 open-source software risks. Chris reminds us of Log4j vulnerability as an example of the risks that come with open-source software.
01:15 — Known vulnerabilities comes first on Endor’s list. Open-source software components that have known vulnerabilities are listed in the NIST (National Institute of Standards and Technology) National Vulnerability Database. These vulnerabilities can be exploited if not patched properly.
01:34 — Second is the compromise of a legitimate package, as seen with SolarWinds. This happens when malicious actors take advantage of credentials for open-source software project maintainers or contributors.
02:03 — Next up is name confusion attacks. Chris explains that we’ve seen an uptick in things like typosquatting, brand jacking, and combo squatting. These are essentially taking an open-source software component and then creating a malicious component and renaming it something very similar to the legitimate component.
02:27 — Number four is unmaintained software. The saying goes “software ages like milk.” Some open-source software hasn’t been updated for several years.
03:00 — Number five is outdated software. Sometimes organizations aren’t patching. They haven’t applied the latest version of components to their software.
03:28 — Number six is untracked dependencies. Organizations simply don’t know what open-source software components and dependencies they have in their environment. More organizations are trying to use tools to identify their open-source software consumption.
03:56 — Next up, number seven is licensing and regulatory risk. For example, if your organization is using an open-source software component and violates the licensing by using it in one of its products, there could be legal ramifications.
04:27 — Number eight on the list is immature software, which Chris calls “the promise and the peril of open-source software.” Organizations might make use of immature software components in mature software, putting them at risk.
04:59 — Number nine is unapproved changes. Consumers might put an unapproved change into their systems, software, or products, and it has a negative impact both on security or operations in terms of reliability.
05:27 — And last on the list, number 10, is under/oversized dependencies. This is often referred to as attack surface management or code bloat. Oversized dependencies can increase your attack surface.
06:00 — All that said, there’s a lot of promise when it comes to open-source software. The majority of modern code bases are comprised of open-source software components. If you’re trying to get an understanding of the risks, Endor Labs’ list is a great resource.
Want more cybersecurity insights? Subscribe to the Cybersecurity as a Business Enabler channel: