Were you unable to attend Transform 2022? Check out all of the summit sessions in our on-demand library now! Watch here.
Open-source software has become the foundation of the digital economy: Estimates are that it constitutes 70 to 90% of any given piece of modern software.
But while it has many advantages — it is collaborative, evolving, flexible, cost-effective — it is also rife with vulnerabilities and other security issues both known and yet to be discovered. Given the explosion in its adoption, this poses significant risk to organizations across the board.
Emerging issues are compounding longstanding, traditional vulnerabilities and licensing risks — underscoring the urgency and importance of securing open-source software (OSS) code made publicly and freely available for anyone to distribute, modify, review and share.
“Recently, the open-source ecosystem has been under siege,” said David Wheeler, director of open-source supply chain security at the Linux Foundation.
MetaBeat will bring together thought leaders to give guidance on how metaverse technology will transform the way all industries communicate and do business on October 4 in San Francisco, CA.
He stressed that attacks aren’t unique to open source — just look at the devastating siege on SolarWinds’ Orion supply chain, which is a closed system. Ultimately, “we need to secure all software, including the open-source ecosystem.”
Situation critical for open source
According to a report by the Linux Foundation, technology leaders are well aware of this fact, but have been slow to adopt security measures for open source.
Among the findings:
Just 49% of organizations have a security policy that covers (OSS) development or use. 59% of organizations report that their OSS is either somewhat secure or highly secure. Only 24% of organizations are confident in the security of their direct dependencies. Furthermore, on average, applications have at least five outstanding critical vulnerabilities, according to the report.
Case in point: The systemic issues that led to the Log4Shell incident. The software vulnerability in Apache Log4j — a popular Java library for logging error messages in applications — was both complex and widespread, impacting an estimated 44% of corporate networks worldwide. And it’s still affecting busi …