Chris Hughes, chief security advisor at open-source software security startup Endor Labs, spoke to TechRepublic today about the state of open-source software security and where it might go next year.
“Organizations are trying to get some basic things like governance to understand what we’re using in terms of open source,” Hughes said. “Where does it live in our enterprise? What applications are running it?”
Open Source Security Trends to 2025
For his work, Hughes received praise. Open source As software for which the source code is freely available and can potentially be used to build other projects with some restrictions. Last year, Harvard Business School found that organizations will need to invest. $8.8 trillion In technology and labor time to recreate the software used in the business if open source software was not available.
“It’s estimated that 70-90% of all applications have open source, and about 90% of those codebases are entirely open source,” Hughes said.
For 2025, Hughes predicts:
- Along with the widespread adoption of open source software will come increasingly sophisticated attacks on OSS by malicious actors.
- Organizations will continue to maintain basic OSS governance.
- More companies will use open source and commercial tools to begin to understand their OSS consumption.
- Organizations will implement risk-aware use of OSS.
- Enterprises will continue to push for vendor transparency about what OSS they use in their products. However, no broad mandate will be created for this process.
- AI will continue to impact application security and open source in a variety of ways, including organizations using AI to analyze code and solve problems.
- Attackers will target widely used OSS AI libraries, projects, models and more to launch supply chain attacks on the OSS AI community and commercial vendors.
- AI code governance, where organizations have greater visibility into AI models, will become more common.
Hughes said organizations increasingly want to know how secure their open-source software is, including “how well it’s maintained, who’s maintaining it and how quickly they fix vulnerabilities when they occur.” away,” Hughes said.
He highlighted the attack in April 2024 in which A series of social engineering efforts Vulnerability to open source utilities, specifically opening a backdoor in the XZ Utils utility.
“It was really kind of disgusting because the open source ecosystem is largely maintained by unpaid volunteers, people doing it in their spare time … and often unpaid, unpaid, etc.,” Hughes said. Hughes said. “So, taking advantage of him and preying on him was a very heinous thing that caught the attention of a lot of people.”
How is AI changing open source security?
In October 2024, the Open Source Initiative was established. A definition For open source AI. According to this initiative, open source AI has four key elements: the freedom to use, study, modify, and share the system for any purpose;
Hughes said that defining open source AI was important because distribution platforms such as A huggable face.
“These AI models, especially the open-source ones, are widely used by many organizations and individuals around the world,” he said. “So we’re back to asking: What exactly is in it, and who contributed to it, and where is it?
What other weak components are there in Rome?”
Larger corporations may have a better opportunity to communicate transparently with their vendors about their software supply chain than smaller companies, Hughes said. Therefore, the problem of not having visibility into the AI models used in their software can quickly escalate for smaller companies.
See: Smart home device makers will soon be able to apply for a US Government Security Seal of Approval.
CISA encourages open source software development security.
In March 2024, CISA was finalized. Secure Software Development Self-Certification FormIt is intended for developers of software used by the US federal government to verify that they use secure development practices.
Federal agencies may also request other forms and certifications. On the commercial side, organizations can make similar demands in their procurement processes. There is still an element of trust involved as the organization needs to trust that the vendor will keep its word. Hughes said there are more conversations now than last year in the wake of attacks on open-source utilities.
Future solutions for open source software security
Analyzing software composition in 2025 is not enough, Hughes said. IT professionals and security professionals should be aware that as software becomes more complex, the number of vulnerabilities has increased to the point “where it’s becoming taxing on developers to even figure out what to do.” Things need to be fixed and prioritized,” Hughes said.
Companies like Endor Labs can provide insight into dependencies within open source. Codeincluding indirect or transitory dependence.
“Being able to point to things like access and exploits … can be a huge benefit from a compliance perspective, in terms of the burden on the organization and your development team,” he said.