Buggy, Vulnerable Open-Source Code Seeps Into Business Tech
– Emily
Many companies are irresponsibly using open-source software, often downloading vulnerable versions that have previously led to significant cybersecurity breaches. This is a significant concern for the U.S. government, which is working to improve cybersecurity, especially after the Log4j vulnerability caused widespread panic in December 2021. Despite the known risks, vulnerable versions of Log4j have been downloaded nearly 250 million times since December 2021, with 29% of these downloads being vulnerable versions. This has led to significant damage, including a ransomware attack on Suffolk County, N.Y., which cost over $5 million to investigate and recover from. Open-source software, while beneficial for development, often contains unpatched and vulnerable versions of software, as well as potentially malicious code. Companies often fail to vet the software due to automated tools pulling code from repositories. The issue extends beyond Log4j, with research from Fortress Information Security finding approximately 3,000 open-source components in about 400 products commonly used by critical infrastructure companies. The Open Source Security Foundation (OpenSSF) and the federal Cyber Safety Review Board have both issued guidance on steps to evaluate open-source software, including developing tools to track the deployment of open-source components and staying informed about emerging vulnerabilities. The key, according to Sonatype’s CTO, is knowing what is being introduced into systems, as malicious code in open-source software has grown by 750% on average every year for the past three years.
Link: https://technocharger.com/buggy-vulnerable-open-source-code-seeps-into-business-tech/