In the tech industry, the use of open-source software is widespread, and tools such as software composition analysis can identify dependencies and fortify them. Nevertheless, dealing with open source brings about security hurdles compared to proprietary software.
Discussing the current state of open-source software security and its potential future trajectory, Chris Hughes, principal security consultant at the startup Endor Labs specializing in open-source software security, spoke with TechRepublic.
“Companies are beginning to establish essential factors such as governance to comprehend the open-source technologies we utilize. Where does it exist within our organization? Which applications incorporate it?” Hughes pondered.
Anticipated Trends in Open Source Security for 2025
Defining open source as software where source code is freely accessible for use in developing other projects, albeit with potential restrictions, Hughes quantified his work. A study by Harvard Business School revealed that, if open-source software were unavailable, companies would have to allot a staggering $8.8 trillion for technology and labor to recreate the software they currently leverage for business operations.
“Estimations suggest that 70-90% of applications rely on open source, with approximately 90% of those applications primarily comprised of open-source components,” Hughes shared.
For the year 2025, Hughes envisions:
- Heightened adoption of open-source software leading to more sophisticated cyber assaults targeting OSS from malevolent entities.
- Companies continuing to solidify their governance structures for open-source software.
- Increased usage of open-source and commercial tools by organizations to better understand their consumption of OSS.
- Organizations engaging in risk-informed utilization of OSS.
- Enterprises insisting on vendor transparency regarding the OSS utilized in their products, although a universal mandate for this process is not expected.
- The ongoing influence of AI on application security and open source, with entities employing AI for code analysis and issue resolution.
- Threat actors targeting widely-used OSS AI libraries, projects, models, and more to execute supply chain attacks on both the OSS AI community and commercial firms.
- The growing prevalence of AI code governance for organizations to gain deeper visibility into AI models.
Businesses are increasingly keen on assessing the security of their open-source software, questioning “the maintenance quality, the maintenance responsibility, and the promptness in addressing vulnerabilities,” as articulated by Hughes.
He brought to light a notable incident in April 2024 where a series of social engineering maneuvers threatened open-source utilities, specifically introducing a backdoor in the XZ Utils utility.
“This occurrence was quite malevolent because the open-source ecosystem majorly relies on unpaid volunteers who contribute in their spare time without compensation. Hence, exploiting this vulnerability was a sinister act that garnered significant attention,” Hughes expressed.
The Influence of AI on Open-Source Security
In October 2024, the Open Source Initiative introduced a definition for open-source AI, emphasizing the freedom to utilize, examine, amend, and distribute the system for any purpose.
The rise of distribution platforms such as Hugging Face underscores the significance of defining open-source AI.
“Given the widespread use of these AI models, particularly the open-source variants, by numerous organizations and individuals globally, the question arises again: What comprises these models, who contributed to them, and what is their origin? Are there any susceptible components?”
Large corporations may find it easier to engage in transparent dialogues with their vendors regarding their entire software supply chain compared to smaller entities. Consequently, the challenge of lacking visibility into the AI models integrated into their software may escalate disproportionately for small companies.
SEE: Smart home device manufacturers will soon have the opportunity to seek a security seal from the U.S. government.
CISA’s Advocacy for Security in Open-Source Software Development
In March 2024, CISA finalized the secure software development self-attestation form, intended for developers of software employed by the U.S. government to affirm their usage of secure development methodologies.
Aside from this form, federal agencies may demand further attestations. Meanwhile, on the commercial front, companies may include similar requirements in their procurement processes. While there is an element of trust involved, with organizations relying on vendors to uphold their commitment, the discourse on this front has become more prevalent following the attacks on open-source utilities, according to Hughes.
Approaches for Ensuring Future Open Source Software Security
According to Hughes, conducting software composition analysis alone will not suffice as we head into 2025. IT experts and security professionals must acknowledge that as software complexities increase, so do vulnerabilities, leading to developers facing a taxing ordeal in determining what needs fixing and prioritizing concerns,” Hughes emphasized.
Companies like Endor Labs can furnish insights on dependencies within open-source code, encompassing indirect or transitive dependencies.
“Being equipped to identify factors like reachability and exploitability could offer significant advantages, including from a compliance standpoint, in reducing the organizational and development team burden,” he noted.
About Author
