As organizations increasingly rely on open source software, associated security risks grow, demanding more robust and proactive risk management.
Our 2024 State of the Software Supply Chain report dives into these and other emerging challenges, particularly focusing on the concept of "Persistent Risk" — a term highlighting unresolved vulnerabilities and contamination risks within software supply chains.
Let's explore a few insights from the report to better understand the evolution of open source risk and its associated security challenges.
"Persistent Risk" in open source software is a unique category of risk shaped by prolonged exposure to unresolved vulnerabilities.
We defined this concept based on our observations that ongoing, unresolved threats in software can degrade its security integrity over time.
Persistent Risk encompasses two main factors:
Unfixed Risk refers to known software vulnerabilities that remain unaddressed, posing a continuous threat. It includes the time needed to fix these issues. Unpatched vulnerabilities create a persistent pathway for exploitation, keeping software at risk.
Corrosive Risk involves vulnerabilities in current and past releases that need time to resolve, like Unfixed Risk. It also accounts for delays in detecting vulnerabilities in older versions, allowing risks to accumulate and gradually weaken the software's security.
Unfixed and Corrosive Risk create Persistent Risk, like rust on metal — the longer vulnerabilities go unaddressed, the more they grow, leading to a decline in software resilience and increased vulnerability to breaches. This underscores the urgency for timely identification and resolution to prevent long-term security issues.
The 2024 report reveals a critical truth: components with Persistent Risk degrade over time, increasing the chance of systemic failures. Importantly, 95% of downloaded vulnerable components had a fix available, highlighting the need for proactive management.
Three primary behaviors drive Persistent Risk within organizations:
Choice: Many organizations struggle to discern high-quality open source components, often selecting components with known vulnerabilities. By focusing on projects with strong security practices, companies can significantly reduce Persistent Risk. This year's report identified that 762,000 open source components — out of the 7 million available — are actively chosen, underscoring the importance of selective, quality-driven choices.
Complacency: Leaving dependencies unmanaged or outdated introduces significant risk. The report found that 80% of enterprise application dependencies were unmanaged and outdated within a year, which escalates the risk of corrosion within the codebase.
Contamination: The presence of open source malware compounds Persistent Risk. Notably, peripheral components — those not frequently used in enterprise environments — are 25 times more likely to contain malware than core components, highlighting the need for vigilant dependency management to prevent contamination.
Open source consumption practices, more than the inherent quality of the components, play a significant role in Persistent Risk.
While quality remains a priority, our report found that proactive measures, such as using software bills of materials (SBOMs) and dependency management tools, are essential for maintaining a secure software supply chain.
Additionally, the Open Source Security Foundation (OpenSSF) Scorecard serves as a valuable tool in evaluating the responsiveness and quality of open source projects, offering developers insights into project stability and security practices.
As open source usage scales, so must the sophistication of risk management strategies.
Best practices highlighted by the report for mitigating Persistent Risk include:
Selective component selection: Choosing components from reputable, actively maintained projects can reduce exposure to Persistent Risk. This involves examining project quality indicators, such as update frequency, responsiveness to vulnerabilities, and alignment with SBOM standards.
Proactive dependency management: Dependency neglect, or "complacency," allows vulnerabilities to fester and corrode security. Regularly updating dependencies and choosing non-vulnerable versions where available is critical, especially since our report found that 13% of all Log4j downloads were still of a vulnerable version nearly three years after fixes became available.
Enhanced malware detection: The growing prevalence of open source malware calls for heightened awareness and adoption of advanced scanning tools to identify both known and novel malware threats. Traditional tools may miss more sophisticated attacks, underscoring the need for evolving security measures.
Addressing Persistent Risk proactively not only preserves software integrity but also builds resilience against escalating software supply chain threats.
To learn more about the state of open source and how to protect your software supply chain, check out the full State of the Software Supply Chain report.