Open-source software (OSS) is seen by many as a liberator, providing greater access to users and granting near limitless possibilities for development and design collaboration. However, OSS is susceptible to a myriad of security risks. Endor Labs, with contributions from more than 20 industry experts, has produced the Station 9 report illustrating the top 10 operational and security risks associated with OSS.
At the top of the list is the risk from known vulnerabilities in code, followed by legitimate packages compromised by attackers, and confusion attacks like brandjacking or typo-squatting. The threats continue with unmaintained and outdated software, for which there may not be any available patches or updates. Untracked dependencies can create susceptibilities, as can licensing and regulatory issues.
Another risk factor is immature software that doesn’t apply development best-practices, limiting its reliability or security. Component changes, without developers being able to notice, review, or approve them, can also create vulnerabilities. The last risk factor identified is under- or over-sized dependency, packages with very little or too much functionality.
The Station 9 report was inspired by the OWASP Top Ten, a standard document for developers and web application security. The team plans to update the report as technology — and threats — continue to evolve.