Open-source software is common throughout the tech world, and tools like software composition analysis can spot dependencies and secure them. However, working with open source presents security challenges compared with proprietary software.
Chris Hughes, chief security advisor at open-source software security startup Endor Labs, spoke to TechRepublic about the state of open-source software security today and where it might go in the next year.
“Organizations are starting to try to get some foundational things like governance in place to understand what we are using in terms of open source,” Hughes said. “Where does it reside in our enterprise? What applications are running it?”
Open source security trends for 2025
For his work, Hughes defined open source as software for which source code is freely available and can be used to build other projects, possibly with some restrictions. Last year, Harvard Business School found organizations would need to invest $8.8 trillion in technology and labor time to recreate the software used in business if open-source software wasn’t available.
“The estimates are 70-90% of all applications have open source, and roughly 90% of those code bases are entirely made up of open source,” Hughes said.
For 2025, Hughes predicts:
- Widespread open-source software adoption will be accompanied by increasingly sophisticated attacks on OSS by malicious actors.
- Organizations will continue to put foundational OSS governance in place.
- More companies will use open-source and commercial tools to help them start to understand their OSS consumption.
- Organizations will perform risk-informed consumption of OSS.
- Enterprises will continue to push for vendor transparency regarding what OSS they use in their products. However, no widespread mandates will arise for this process.
- AI will continue to impact application security and open source in various ways, including organizations using AI to analyze code and remediate issues.
- Attackers will target widely used OSS AI libraries, projects, models, and more to launch supply chain attacks on the OSS AI community and commercial vendors.
- AI code governance, where organizations have more visibility into AI models, will become more common.
Organizations increasingly want to know how secure their open source software is, including “how well is it maintained, who’s maintaining it and how quickly do they address vulnerabilities when they occur,” Hughes said.
He highlighted the attack in April 2024 in which a string of social engineering attempts threatened open-source utilities, particularly opening a backdoor in the XZ Utils utility.
“That one was really kind of sinister because the open source ecosystem is largely sustained by unpaid volunteers, folks doing this in their free time … and often not compensated, unpaid, etc.,” Hughes said. “So, taking advantage of that and preying on that was a pretty nefarious thing that got a lot of people’s attention.”
How is AI changing open-source security?
In October 2024, the Open Source Initiative established a definition for open-source AI. According to the initiative, open-source AI has four key elements: the freedom to use, study, modify, and share the system for any purpose.
Hughes said that defining open-source AI was important because of the rise of distribution platforms like Hugging Face.
“These AI models, especially the open source ones, are widely used by many organizations and individuals around the world,” he said. “So we’re back to asking: What exactly is in this, and who contributed to it, and where is it from? And are there vulnerable components?”
Hughes said that large corporations may have a better chance of talking transparently with their vendors about the entirety of their software supply chain than small companies. Therefore, the problem of not having visibility into the AI models used in their software can grow exponentially for smaller companies.
SEE: Smart home device makers will soon be able to apply for a U.S. government seal of security approval.
CISA encourages open-source software development security
In March 2024, CISA finalized the secure software development self-attestation form, meant for developers of software used by the U.S. federal government to confirm they use secure development practices.
Federal agencies may ask for other forms and attestations as well. On the commercial side, organizations may build similar requirements into their procurement processes. There is still an element of trust involved since the organization needs to trust the vendor will keep to their word. But the conversation is happening more often now than it did last year, in the wake of attacks on open source utilities, Hughes said.
Solutions for the future of open source software security
Performing software composition analysis isn’t enough going into 2025, Hughes said. IT professionals and security professionals should know that as software becomes more complex, the number of vulnerabilities has grown “to where it’s becoming a tax on developers to even navigate what needs to be fixed and what order of priority,” Hughes said.
Companies like Endor Labs can provide insights on dependencies within open-source code, including indirect or transitive dependencies.
“Being able to point to things like reachability and exploitability … could be a big benefit from the compliance perspective too, in terms of the burden on the organization and your development team,” he said.
+ There are no comments
Add yours