Promoted by Endor Labs and featuring contributions from over 20 industry experts, the new Endor Labs Station 9 report identifies the top operational and security risks in open-source software.
As Endor Labs lead security researcher Henrik Plate puts it, new applications make large use of open-source components and should take seriously any risks coming from their integration.
It’s well-known that open source is oftentimes more performant and secure than proprietary software, but it’s also clear that open source software comes as-is, without warranties of any kind, and any risk of using it being solely on downstream users.
Inspired by the OWASP Top Ten, a standard document for developers and web application security, the Endor Labs Station 9 report includes contributions from industry experts working at companies such as HashiCorp, Adobe, Palo Alto Networks, Discord, and others.
This report covers both operational and security issues to highlight the top 10 risks associated with the consumption of open source components, all leading to problems that can compromise systems, enable data breaches, undermine compliance or hamper availability.
The top risk in the report is understandably represented by known vulnerabilities present in packages, followed by the possibility that legitimate packages are compromised through an attack on the distribution infrastructure in order to inject malicious code or resources. At the third spot come name confusion attacks, which rely on strategies like typo-squatting, brand-jacking, or combo-squatting to create malicious packages that may lead developers to inadvertently trust them.
While the possibility that open-source software contains known vulnerabilities is usually well-recognized in the industry, which also has many tools at its disposal to counter them, the other two risk factors are relatively new. They fall into the category of supply chain attacks and the industry is just starting to have its first tools to fight them, including Semgrep, Guarddog and others.
The next two risks in the list are unmaintained and outdated software. In both cases, there can be functional as well as security-related implications. For outdated software the fix is as straightforward as updating to the latest package version, although that might be troublesome in the face of accrued incompatibilities.
Other risks included in the list are license and regulatory risks; immature software, such as software that does no apply best practices or lack unit tests; wrong versioning, leading to changes being introduced without the developers being able to review or approve them; and under- or over-sized dependency, i.e. packages providing very little or a lot of functionality.
Those kinds of risks all fall into categories seemingly more manageable with a traditional quality-oriented outlook, albeit they should not be overlooked for a comprehensive approach.
The Station 9 team aims to update the report regularly to reflect technological advances as well as any evolutions in the threat landscape.