Thanks to our friends at Help-Net Security for this submission.
The use of open source code in modern software has become nearly ubiquitous. It makes perfect sense: facing ever-increasing pressures to accelerate the rate at which new applications are delivered, developers value the ready-made aspect of open source components which they can plug in where needed, rather than building a feature from the ground up.
Indeed, this practice has become so common that today the average application is composed mostly of open source libraries, with these components making up more than 80% of the average codebase.
But the widespread use of open source code has certain consequences. As with custom or home-grown code, open source libraries can contain vulnerabilities, and those vulnerabilities may be exploited by cybercriminals targeting these components as attack vectors to gain access to networks, intercept sensitive data, and influence or impede an application’s functionality. Open source code is distinct from custom code, however, in that its vulnerabilities – and many exploits for them – are published online, making it a particularly attractive target for malicious actors.