The highest 10 open supply dangers
OWASP
1: Identified vulnerabilities
This part covers OSS parts with recognized vulnerabilities similar to software program flaws, usually inadvertently launched by software program builders and maintainers after which subsequently disclosed publicly, usually by safety researchers locally.
These vulnerabilities could also be exploitable relying on the context through which they’re used inside a company and software. Whereas this level could seem trivial, it isn’t — failing to offer builders with this context results in important toil, wasted time, frustration and sometimes resentment in direction of Safety.
There are efforts to deal with this problem, such because the CISA Identified Exploited Vulnerability (KEV) catalog and Exploit Prediction Scoring System (EPSS).
Organizations can take actions to mitigate the chance of OSS parts with recognized vulnerabilities similar to scanning for vulnerabilities in all OSS parts they use, prioritizing findings based mostly on strategies similar to recognized exploitation, exploitation likelihood, reachability evaluation (which might cut back as much as 80% of noisy findings), and extra.
2: Compromise of a reliable package deal
Subsequent up on the record of Prime 10 OSS Dangers is the compromise of a reliable package deal. Malicious actors notice the worth of compromising a reliable package deal to affect downstream shoppers, each organizationally and individually.
There are a number of strategies they’ll use to pursue this assault vector, similar to hijacking the accounts of the venture maintainers or vulnerabilities within the package deal repositories.
