OWASP Top 10 OSS Risks: A guide to better open source security

Group of Empowered Multicultural Men and Women Working in a Research Center, Using Computers to Run Advanced Software, Develop Artificial Intelligence Interface and Cyber Security Protocols


The top 10 open source risks

OWASP

1: Known vulnerabilities

This section covers OSS components with known vulnerabilities such as software flaws, often inadvertently introduced by software developers and maintainers and then subsequently disclosed publicly, often by security researchers in the community.

These vulnerabilities may be exploitable depending on the context in which they are used within an organization and application. While this point may seem trivial, it isn’t — failing to provide developers with this context leads to significant toil, wasted time, frustration and often resentment towards Security.

There are efforts to address this challenge, such as the CISA Known Exploited Vulnerability (KEV) catalog and Exploit Prediction Scoring System (EPSS).

Organizations can take actions to mitigate the risk of OSS components with known vulnerabilities such as scanning for vulnerabilities in all OSS components they use, prioritizing findings based on methods such as known exploitation, exploitation probability, reachability analysis (which can reduce up to 80% of noisy findings), and more.

2: Compromise of a legitimate package

Next up on the list of Top 10 OSS Risks is the compromise of a legitimate package. Malicious actors realize the value of compromising a legitimate package to impact downstream consumers, both organizationally and individually.

There are a variety of methods they can use to pursue this attack vector, such as hijacking the accounts of the project maintainers or vulnerabilities in the package repositories.



Source link
lol

The top 10 open source risks OWASP 1: Known vulnerabilities This section covers OSS components with known vulnerabilities such as software flaws, often inadvertently introduced by software developers and maintainers and then subsequently disclosed publicly, often by security researchers in the community. These vulnerabilities may be exploitable depending on the context in which they are…

Leave a Reply

Your email address will not be published. Required fields are marked *