OWASP Top 10 OSS Risks: A guide to better open source security
The top 10 open source risks
OWASP
1: Known vulnerabilities
This section covers OSS components with known vulnerabilities such as software flaws, often inadvertently introduced by software developers and maintainers and then subsequently disclosed publicly, often by security researchers in the community.
These vulnerabilities may be exploitable depending on the context in which they are used within an organization and application. While this point may seem trivial, it isn’t — failing to provide developers with this context leads to significant toil, wasted time, frustration and often resentment towards Security.
There are efforts to address this challenge, such as the CISA Known Exploited Vulnerability (KEV) catalog and Exploit Prediction Scoring System (EPSS).
Organizations can take actions to mitigate the risk of OSS components with known vulnerabilities such as scanning for vulnerabilities in all OSS components they use, prioritizing findings based on methods such as known exploitation, exploitation probability, reachability analysis (which can reduce up to 80% of noisy findings), and more.
2: Compromise of a legitimate package
Next up on the list of Top 10 OSS Risks is the compromise of a legitimate package. Malicious actors realize the value of compromising a legitimate package to impact downstream consumers, both organizationally and individually.
There are a variety of methods they can use to pursue this attack vector, such as hijacking the accounts of the project maintainers or vulnerabilities in the package repositories.
Source link
lol
The top 10 open source risks OWASP 1: Known vulnerabilities This section covers OSS components with known vulnerabilities such as software flaws, often inadvertently introduced by software developers and maintainers and then subsequently disclosed publicly, often by security researchers in the community. These vulnerabilities may be exploitable depending on the context in which they are…