Qcon London: A Three-Step Blueprint For Managing Open Source Risk
InfoQ, Tuesday, April 8th, 2025
At QCon London 2025, vulnerability manager Celine Pypaert discussed managing open-source dependency risks while maintaining momentum in innovation. She described a three-part blueprint for handling the security challenges that arise with the now widespread use of open-source dependencies.
Pypaert explained that open-source components are present in 96% of commercial codebases, according to a 2024 report from Black Duck. She said how people can misplace trust in familiar software used both personally on our devices and by enterprises. She spoke about some recent security incidents, such as the XZ Utils backdoor, where a rogue contributor gained trust from the sole maintainer of the project by committing valuable code before eventually inserting malicious code, and the Left-pad incident, where a single vital component's deletion from npm caused React-based applications to break.