Open Source Has Its Perks, But Supply Chain Risks Can’t Be Ignored

Analysis Open source components play an increasingly central role in the software development scene, proving to be a boon in a time of continuous integration and deployment, DevOps, and daily software updates.

In a report last year, silicon design automation outfit Synopsys found that 97 percent of codebases in 2021 contained open source, and that in four of 17 industries studied – computer hardware and chips, cybersecurity, energy and clean tech, and the Internet of Things (IoT) – open source software (OSS) was in 100 percent of audited codebases. The other verticals had open source in at least 93 percent of theirs.

It can help drive efficiency, cost savings, and developer productivity.

“Open source really is everywhere,” Fred Bals, senior technical writer at Synopsys, wrote in a blog post about the report.

That said, the increasing use of open source packages in application development also creates a path for threat groups that want to use the software supply chain as a backdoor to myriad targets that depend on it.

The broad use of OSS packaging in development means that often enterprises don’t know exactly what’s in their software. Having a lot of different hands involved increases complexity, and it’s hard to know what’s going on in the software supply chain. A report last year from VMware found that concerns about OSS included having to rely on a community to patch vulnerabilities, and the security risks that come with that.

Varun Badhwar, co-founder and CEO of Endor

Read more

Explore the site

More from the blog

Latest News