Securing Your Software Supply Chain: A Hands-On Guide to Consuming Open Source Safely. Part II

In part I, we explained the fundamentals of the software supply chain and precaution measures needed to secure it at various stages. In part II, we’ll explore the common risks of incorporating open source code into your software supply chain and discuss strategies to mitigate them.

Vulnerabilities

A software vulnerability is a flaw or weakness in a system or program that could be exploited by an attacker to gain unauthorized control or compromise the security of the software or IT network.

The State of Software Supply Chain Security Risks research identifies vulnerabilities as the primary factor behind many software supply chain attacks. Moreover, vulnerabilities in open source code present a particular threat because of its public accessibility: adversaries are free to scrutinize it to identify and potentially exploit weaknesses. According to the 2024 ‘Open Source Security and Risk Analysis’ (OSSRA) report, 84 percent of the 1,000 codebases examined contained at least one open source vulnerability.

As shown in the figure below, the presence of existing security vulnerabilities is the main criteria when assessing the security of open source components:

Source: Ponemon report: The State of Software Supply Chain Security Risks

There are many potential causes that could lead to a software vulnerability, ranging from specific coding errors to flawed architectural design. Moreover, given the complexity of modern applications, even following best practices during the coding and design stages cannot guarantee that an application is free of vulnerabilities. Regardless of how confident you are in the security of your software, it is crucial to implement measures to detect and address any vulnerabilities that may exist. Read on to know what actions can help prevent vulnerabilities from entering your supply chain.

Ways to handle software vulnerabilities

Vulnerability scanning

Vulnerability scanning involves identifying and evaluating potential weaknesses throughout all stages of the software development lifecycle, as well as threats related to the operating environment, such as cloud infrastructure. Conducted by software composition analysis (SCA) tools, it is a highly effective method for detecting most open source vulnerabilities. Key types of scans include:

application scanning
container scanning
misconfiguration scanning
compliance scanning.

Create and maintain SBOMs

An SBOM provides a detailed inventory of all open source components in your applications, including information on their licenses, versions, and patch status. A well-maintained, up-to-date SBOM is a powerful tool for securing your software supply chain, as it aids in assessing exposure and ensures that your code remains secure, compliant, and of high quality.

Stay informed

Being informationally proactive is an essential component of a secure software supply chain strategy. Make sure you have a reliable way to stay informed about newly discovered malicious packages, malware, and disclosed open source vulnerabilities. Seek out newsfeeds or regularly issued advisories that offer actionable insights and details on issues impacting the open source components listed in your SBOM. Public sources like the National Vulnerability Database (NVD) are a good starting point for information on publicly disclosed vulnerabilities in open source software.

Perform regular updates

Keeping your software up to date ensures you are running the most secure version with the necessary patches. In corporate software, vendors typically either update versions automatically or notify their customers when a new security patch is released. However, with open source software, it is up to the users to stay informed about the status of components and to download new versions as they become available.

Dependencies

Software dependencies are external libraries, modules and frameworks developed independently by individuals or groups and incorporated within a project. These dependencies are publicly accessible and available for anyone to use, modify, and distribute. While incorporating open source dependencies can significantly boost the development process, it also introduces potential security risks, particularly when these dependencies are not properly managed or monitored.

Despite this, many organizations neither know nor track their open source dependencies. Research on the State of Software Supply Chain Security Risks revealed that only 39% of respondents maintain an inventory of their open source dependencies, and of those, only a small portion (22%) use automated or policy-based mechanisms to approve or forbid the use of these dependencies.

How to manage software dependencies

Effective dependency management involves creating a detailed inventory of all components and continuously monitoring them for new vulnerabilities and compliance issues. If left unaddressed, vulnerabilities in open source libraries can expose the entire project to significant threats. Regularly updating and monitoring these dependencies is crucial for mitigating such risks.

Licensing

Software licenses outline the rights of developers, vendors, and end users, defining how those rights are protected. Open source alone has over a hundred licensing formats, each with its own specific terms and conditions. A key challenge in using open source code is ensuring that you stay within the boundaries of these licenses without violating their terms.

Failing to comply can lead to serious consequences, such as legal troubles, loss of intellectual property, lengthy remediation efforts, and delays in getting your product to market. That’s why it’s crucial to keep track of the licenses for your open source components and understand their associated obligations.

Common types of license-related issues include:

License conflicts: When different software components within a single product have conflicting licenses, such as integrating open source code within proprietary software or when modified code fails to meet enterprise quality and security standards.
Licensing snippets: The inclusion of code fragments taken from websites that lack clear terms of service, which are then incorporated into a project’s codebase.
AI-generated code: Code produced by AI-powered tools, which raises questions about ownership, copyright, and licensing.

Best practices on open source licensing management

Perform a detailed inventory of all third-party software components in your application, including both open source and commercial software.
Review the licensing terms and conditions for each component to ensure they align with the intended use of your product.
Verify that the licenses of different components are compatible with one another, as some may have conflicting terms.
Implement automated scanning tools to identify and monitor license obligations and restrictions for each component.
Seek guidance from legal experts to ensure compliance with all licensing requirements.

Lack of development

Before incorporating external code, evaluate how well the project is maintained. If you notice there’s been no activity within a year, it’s a red flag to pause and reconsider. A lack of development—especially in smaller projects—means no feature updates, no code improvements, and no fixes for discovered security issues, which significantly increases the risk of using that code.

Best practices for consuming open source safely

Use automated tools to evaluate open source components, such as SCA scanners. These tools perform dependency and code printing checks, binary analysis, snippet analysis, and identify all dependencies included in the application and resolved during a build.
Monitor your supply chain. Regularly inspect its components, as defined in your SBOM, to check for security issues, updates, and license conflicts.
Follow the DevSecOps approach and integrate security into the design and development phases of the SDLC. This process includes threat modeling, secure coding practices, and regular code reviews to ensure that software is built with security in mind. Use dedicated frameworks, such as the BSA Framework for Secure Software or the NIST SDLC framework, to ensure safe coding.
Practice code hygiene: Only incorporate code from trusted sources and well-maintained repositories.
Conduct code reviews: Carefully examine the code of any downloaded software before integrating it into your project. Look for any known vulnerabilities, and consider using static code analysis to uncover potential security weaknesses that may not be immediately apparent.

Conclusion

Today, as organizations increasingly rely on the open source ecosystem to develop software, securing open source components is vital to the overall health of the software supply chain. The stakes are high, so safeguarding the software supply chain, primarily its open source elements, must be a cornerstone of any comprehensive cybersecurity strategy.

Best practices for securing a software supply chain include:

Managing dependencies effectively
Regularly updating software
Ensuring the integrity of the supply chain
Tracking the provenance of components

SHALB, a leading DevOps as a Service company, can help you safeguard and strengthen your software supply chain by implementing automated security mechanisms at every stage—from creation and build to deployment and runtime. Contact us today to learn more!