"Endor Labs Unveils New Research on Impact of Open-Source Software on Supply Chain Security"
Endor Labs published "The State Of Dependency Management," which provides insight into the widespread but often unmonitored use of existing open-source software in application development, as well as the risks associated with this common practice. The research reveals that 95 percent of all vulnerabilities are found in transitive dependencies, which are open-source code packages that are not chosen by developers but are still pulled into projects indirectly. This is the first report from Station 9, Endor Labs' research capability that brings together researchers, academics, and thought leaders worldwide. Station 9's new report provides an analysis of the complexities underlying the reliance on open-source software, revealing how traditional methods of vulnerability remediation require far more scrutiny. According to the report, the issue is not necessarily the widespread use of existing open-source code in new applications. Instead, it is that only a small sampling of these software dependencies is selected by the developers involved. The remainder are transitive or indirect dependencies. This allows for significant vulnerabilities impacting both the security and development worlds. Most vulnerabilities are found in transitive dependencies, making it difficult for developers to assess the true impact of these issues or even whether they are reachable. A comparison of the two most popular community initiatives for identifying critical projects, Census II and OpenSSF Criticality Scores, reveals that determining criticality is complex. Seventy-five percent of Census II packages have a Criticality Score of less than 0.64. Organizations must determine which open-source projects are critical for them. Threat actors have benefited from dependency confusion in recent supply chain attacks, while the risk indicators covered in widely used initiatives typically do not detect these attacks. Fifty percent of the most popular Census II packages did not have a release date in 2022, and 30 percent had their most recent release before 2018. These have the potential to cause serious security and operational issues in the future. When upgrading to the most recent version of a package, there is still a 32 percent chance that it will contain known vulnerabilities, proving that new does not imply secure. This article continues to discuss key findings from Endor Labs' report on dependency management.