New research from Endor Labs offers a view into the rampant but often unmonitored use of existing open-source software in application development and the dangers arising from this common practice.
Open source vulnerabilities
As just one example, the research reveals that 95% of all vulnerabilities are found in transitive dependencies – open-source code packages that developers do not select, but are indirectly pulled into projects.
This is the first report from Station 9, a research capability developed by Endor Labs that brings together researchers, academics and thought leaders from around the world.
“In this environment, open source software is the backbone of our critical infrastructure – but even veteran developers and executives are often surprised to learn 80% of the code in modern applications comes from existing OSS,” said Varun Badhwar, CEO of Endor Labs.
“This is a huge arena, yet it’s been largely overlooked. If the reuse of open source code is to live up to its potential, then security needs to move to the top of the priority list,” Badhwar added.
The problem isn’t necessarily the widespread use of existing open-source code in new applications; it is that only a small sampling of these software dependencies are actually selected by the developers involved.
The rest are “transitive,” or indirect dependencies automatically pulled into the codebase. This sets the stage for vulnerabilities, potential and identifiable, affecting both the worlds of security and development in equal measure.
Key report findings
Among other findings, the