The Double-Edged Sword Of Open-Source Software
HelpNet Security, Monday, April 24,2023
The lack of visibility into the software supply chain creates an unsustainable cycle of discovering vulnerabilities and weaknesses in software and IT systems, overwhelming organizations, according to Lineaje.
Diversity and complexity of the open-source community
Lineaje Data Labs analyzed 41,989 open-source components embedded in the top 44 popular projects of the Apache Software Foundation across its last three versions. The analysis revealed that 68% of dependencies are on non-Apache Software Foundation open-source projects.
These dependencies make even Apache Software Foundation's integrity and inherent risk only as strong as the weakest component it embeds. With direct dependencies accounting for only 10%, the remaining 90% are transitive dependencies, which are not easily visible to developers selecting these packages. This creates an opaque and deep software supply chain invisible to developers.