Chart of the week - All pages

DEC 2023 : Volume 1

A Positive Revelation with Open Source Software!

A Positive Revelation with Open Source Software!

Recent findings based on Lineaje Labs study, reveal that asignificant 89% of components in open source projects are free from vulnerabilities! This discovery challenges the misconception that open source inherently compromises software security.

Recommendations for Developers and Software Security Teams:

Diligent Component Selection: Conduct thorough research and select components with a strong history of security in Open-Source projects.
Continuous Monitoring: Implement continuous monitoring mechanisms to stay informed about the security status of chosen Open-Source components.
Community Engagement: Encourage active participation and engagement with the Open-Source community. Collaboration enhances collective security efforts.
Education and Training: Provide ongoing education and training for developers and security teams on best practices for selecting and integrating Open-Source securely.
Nth Level Dependency Discovery: Deploy advanced tools for nth-level dependency discovery. Uncover dependencies within dependencies to gain a comprehensive understanding of the entire software supply chain, ensuring developers opt for the most secure, vulnerability-free options.

Get Started

< Back to Chart of the week

Source: “What’s In Your Software: An Approach to Enhance Software Supply Chain Security demonstrate by a deep analysis of the Apache Software Foundation”; Lineaje AI Labs Report; April 2023

Nov 2023 : Volume 2

90% of software components in Open-Source are transitive, invisible dependencies

Introduction

The recent finding that 90% of software components in open-source software reside in transitive, invisible dependencies carries significant security implications for the software development community:

Increased Attack Surface: Transitive dependencies introduce a larger attack surface. Malicious actors may exploit vulnerabilities in these components to gain unauthorized access or execute attacks.
Undetected Vulnerabilities: Developers may not be aware of the existence of these dependencies, making it harder to identify and mitigate potential vulnerabilities. This increases the risk of using outdated or vulnerable components.
Delayed Patching: As these dependencies are less visible, they are more likely to be overlooked when it comes to security patching. This delay in addressing vulnerabilities leaves systems exposed to potential threats.
Chain of Trust: Trust in the security of open-source software is predicated on the assumption that direct and transitive dependencies are secure. If a vulnerability exists within a transitive dependency, it can undermine the entire chain of trust.

Mitigation Measures:

Addressing this issue requires a multi-faceted approach:

Deep N-th Level Dependency Scanning: Implement robust dependency scanning tools that can identify and track both direct and transitive dependencies. This provides visibility into the entire, n-th-level dependency tree.
Automated Vulnerability Scans: Regularly scan dependencies for known vulnerabilities. Utilize automated tools that can detect and alert developers to security issues in real time.
Component Level Security Assessments: Conduct thorough reviews of both direct and transitive dependencies. Evaluate their security posture, popularity, and community support to make informed decisions.
Continuous Monitoring: Implement continuous monitoring of dependencies for security updates and patches. Automated alerts can notify developers of new vulnerabilities.
Fallback Mechanisms: Establish fallback mechanisms to quickly switch out or update dependencies in case of a critical security issue.
Audit Trails: Maintain detailed records of all dependencies and versions used in a project. This facilitates traceability and assists in identifying and addressing vulnerabilities.
Community Engagement: Engage with the open-source community to stay informed about updates, security patches, and best practices for managing dependencies.

Conclusion

By implementing these measures, organizations can better manage the security implications of transitive dependencies in open-source software, reducing the risk of potential vulnerabilities and enhancing the overall security posture of their software projects.

Get Started

< Back to Chart of the week

Source: “What’s In Your Software: An Approach to Enhance Software Supply Chain Security demonstrate by a deep analysis of the Apache Software Foundation”; Lineaje AI Labs Report; April 2023

Nov 2023 : Volume 1

Every Open-Source dependency is a software supply chain by itself!

Introduction

Brace yourselves for a game-changing revelation! Recent research has shed light on a pivotal security insight: a staggering 68% of code in Open Source Software (OSS) packages is contributed by providers and suppliers other than the package owner!

This finding carries profound security implications, underlining the intricate web of dependencies within OSS projects. It reinforces the critical need for a robust Software Supply Chain Security Management Service. Understanding and addressing these implications is paramount.

Implications for the Software Ecosystem

Increased Attack Surface: With a majority of code contributions coming from various sources, the attack surface expands. This means potential vulnerabilities may be introduced from external contributors, potentially exposing your software to new threats.
Hidden Vulnerabilities: The code contributed by external parties may not undergo the same rigorous security checks as internally developed code. This increases the risk of hidden vulnerabilities, which could be exploited by malicious actors.
Limited Control: When a significant portion of your codebase is contributed by external providers, you have less direct control over its quality and security. Relying on external sources can introduce an element of uncertainty in the integrity of your software.
Delayed Patching: If a vulnerability is identified in an external contribution, the response time to patch it may be dependent on the responsiveness of the original contributor. This can lead to delays in addressing critical security issues.
Supply Chain Attacks: Malicious actors may attempt to compromise the software supply chain, injecting malicious code or compromising dependencies. This can have widespread implications for downstream users who unknowingly incorporate compromised code into their projects.

Conclusion

Given these implications, a robust Software Supply Chain Security Management capability is essential. It provides a structured approach to mitigating these risks, ensuring that you can reap the benefits of open source collaboration without compromising security.

Get Started

< Back to Chart of the week

Source: “What’s In Your Software: An Approach to Enhance Software Supply Chain Security demonstrate by a deep analysis of the Apache Software Foundation”; Lineaje AI Labs Report; April 2023

OCT 2023 : Volume 4

Unearthing the Hidden Risks: Critical Inherent Risk Scores in Open-Source Components
Insights into your Software Supply Chain

Introduction

In today's rapidly evolving tech landscape, open-source software has become the backbone of countless applications and systems. However, a recent study by Lineaje AI Labs has shed light on a concerning statistic - a staggering 40% of open-source software components have a Critical inherent risk score.

Understanding Inherent Risk Score

An inherent risk score measures the potential software supply chain threats and vulnerabilities that are inherent to a software component. It encompasses vulnerabilities, code quality, security posture, open and unfixed issues, age, and other fundamental issues that pose a risk to the security and stability of a software project.

Implications for the Software Ecosystem

This revelation raises important questions about the security posture of the software we rely on. Here are some of the implications we need to consider:

Long-term Vulnerabilities: Inherent risks are not easily patched or fixed through routine updates. This means that even seemingly stable open-source components may carry latent “weaknesses” that could be exploited in the future.
Complexity Management: Identifying and addressing inherent risks requires a deep understanding of the software's architecture. This can be a challenging task, particularly in projects with a large and diverse codebase.
Shift Towards Proactive Security: Focusing solely on vulnerabilities may not be enough. Organizations must now adopt a proactive approach to identifying and mitigating inherent risks from the outset by Shifting Left of "Shift-Left".
Dependency Evaluation: Relying on components with high inherent risks can have a cascading effect on the security of the entire software ecosystem. A comprehensive assessment of dependencies is now more critical than ever.

Conclusion

The revelation of a high prevalence of critical inherent risk scores in open-source components represents a startling data point for the industry. It underscores the need for a more nuanced approach to software security, one that goes beyond addressing surface-level vulnerabilities. By embracing proactive measures and truly understanding what's in your software, we can fortify the foundation of the software that powers our digital world.

Get Started

< Back to Chart of the week

Source: “What’s In Your Software: An Approach to Enhance Software Supply Chain Security demonstrate by a deep analysis of the Apache Software Foundation”; Lineaje AI Labs Report; April 2023

OCT 2023 : Volume 3

Packages are reused 2.7 times on average within the same Open-Source Project

The Data

Based on Lineaje AI Labs research the majority of vulnerabilities in open-source are not fixed by open source developers. Lineaje AI labs analyzed 121,443 open-source projects and discovered 118,573 vulnerabilities in them. The saving grace is that vulnerabilities are not evenly distributed across dependencies.

The Implication

Inherited Vulnerabilities: With packages being reused multiple times within a single project, a single compromised package must be patched multiple times for each instance of the component.
Direct vs Transitive: The same dependency may exist as both a direct component and a transitive component necessitating different patching approaches.
Reachability: The reuse of packages within a project can lead to intricate dependency chains. Reachability has to consider all possible usages of the same package.

Get Started

< Back to Chart of the week

Source: “What’s In Your Software: An Approach to Enhance Software Supply Chain Security demonstrate by a deep analysis of the Apache Software Foundation”; Lineaje AI Lab Report; April 2023

OCT 2023 : Volume 2

Fixed vs Unfixed Vulnerabilities Distribution in Open-Source Software

The Data

The Implication

Select well managed open-source dependencies that also have well managed open-source dependencies: The reputation of your direct open-source dependency matters little, if their supply chain consists of badly maintained components. Assess the entire supply chain, not just your direct dependency to ensure you ship secure software.
Good innovators are not necessarily good maintainers: The most innovative projects are not always the most well maintained. It is highly likely that your open-source dependencies meet your innovation goals but fail miserably in meeting your software maintainability goals.

Get Started

< Back to Chart of the week

Source: “What’s In Your Software: An Approach to Enhance Software Supply Chain Security demonstrate by a deep analysis of the Apache Software Foundation”; Lineaje AI Labs Report; April 2023

OCT 2023 : Volume 1

Vulnerabilities by Dependency Level in Open-Source Projects

The Data

Based on Lineaje Labs research a staggering 77% of vulnerabilities in open-source reside within transitive dependencies (which your developers cannot patch). Open Source Projects pull in 20+ levels of dependencies. Along with those dependencies come their vulnerabilities. Lineaje AI labs analyzed 121,443 open source projects and discovered 118,573 vulnerabilities in them.

Fixable by your developers: 23% of vulnerabilities are in direct dependencies. These are patchable when fixes are available as independent patches, minor updates or major version upgrades.
‍Mostly not fixable by your developers: 77% of vulnerabilities are in transitive dependencies. Patching these is complicated. Less than 32% of all fixes available are in the form of independent patches. Even picking up independent patches for Transitive Dependency Level 2 and below can break your dependency and your application.

The Implication

A Paradigm Shift in Vulnerability Management: This statistic underscores the need for a paradigm shift in how we manage vulnerabilities. Developers and security teams must now broaden their scope beyond direct dependencies, conducting thorough evaluations of the entire software supply chain dependency tree.
‍Collaboration is Key: With the majority of vulnerabilities residing in transitive dependencies, fostering strong collaboration within the open-source community becomes paramount. Sharing knowledge, experiences, and best practices for managing dependencies will strengthen the collective effort to secure the open-source ecosystem.
Strategic Decision-making on Alternatives or “Inner Source”: In cases where transitive dependencies pose insurmountable risks, project stakeholders may need to consider alternatives. This could involve exploring different components or even opting for custom solutions by building components in-house (inner source).
Elevated Trust in Open-Source Software: By actively managing vulnerabilities in transitive dependencies, the open-source community can build and maintain trust with users. This transparency and dedication to security demonstrate a commitment to providing reliable and secure software solutions.
Beware App-sec tools pushing “quick vulnerability remediation”: Asking your developers to patch vulnerabilities in transitive dependencies is a risky, sub-optimal approach to vulnerability remediation.

Get Started

< Back to Chart of the week

Source: “What’s In Your Software: An Approach to Enhance Software Supply Chain Security demonstrate by a deep analysis of the Apache Software Foundation”; Lineaje AI Labs Report; April 2023

Sept 2023 : Volume 1

What’s in your open-source software?

The Data

Lineaje research indicates that 8.3% of Open Source Software is of unknown origin.

3% of components embedded in open source software as dependencies don’t come from where the open source developers claimed to have gotten them from. So you don’t know where they came from and neither do the developers that included them!
5.3% of all components come from the PURL (Package URL) where they were included. However, the version included does not match the version published by the developing product. They have been tampered with and the tampered source code from where they were built is not available to you.

The Implication

Lack of Trust: Components with dubious or unknown origins do not undergo the same level of scrutiny or security checks as well-established, reputable sources.
Potential for Malicious Insertions: Components of unknown origin may have been tampered with, potentially containing backdoors, malware, or other malicious code that could compromise the security of the system.
Limited Patch Availability: In the event of a vulnerability discovery, it may be difficult or impossible to obtain timely patches or updates for components of dubious origin, leaving the software exposed to potential exploits.
Remediation Efforts: Identifying and replacing components of dubious origin can be resource-intensive and time-consuming.
Opaque Dependencies: Far unknown components understanding the function the component provides is difficult and the dependencies it includes are opaque.

‍Unknown components in your software are a high risk and well-known Open source components pull them into your software.
‍

Get Started

< Back to Chart of the week

Source: “What’s In Your Software: An Approach to Enhance Software Supply Chain Security demonstrate by a deep analysis of the Apache Software Foundation”; Lineaje AI Labs Report; April 2023

Lineaje Weekly Chart

Insights into your Software Supply Chain

What’s in your open-source software?

Accolades

Integrations and Language Support

Trusted by brands globally

Only Software that is Built Secure, Can Run Secure