The highest 10 open supply dangers
OWASP
1: Recognized vulnerabilities
This part covers OSS parts with identified vulnerabilities equivalent to software program flaws, usually inadvertently launched by software program builders and maintainers after which subsequently disclosed publicly, usually by safety researchers locally.
These vulnerabilities could also be exploitable relying on the context wherein they’re used inside a corporation and utility. Whereas this level could appear trivial, it isn’t — failing to supply builders with this context results in important toil, wasted time, frustration and sometimes resentment in the direction of Safety.
There are efforts to handle this problem, such because the CISA Recognized Exploited Vulnerability (KEV) catalog and Exploit Prediction Scoring System (EPSS).
Organizations can take actions to mitigate the danger of OSS parts with identified vulnerabilities equivalent to scanning for vulnerabilities in all OSS parts they use, prioritizing findings based mostly on strategies equivalent to identified exploitation, exploitation chance, reachability evaluation (which may cut back as much as 80% of noisy findings), and extra.
2: Compromise of a legit bundle
Subsequent up on the checklist of Prime 10 OSS Dangers is the compromise of a legit bundle. Malicious actors understand the worth of compromising a legit bundle to influence downstream shoppers, each organizationally and individually.
There are a number of strategies they will use to pursue this assault vector, equivalent to hijacking the accounts of the challenge maintainers or vulnerabilities within the bundle repositories.