The growing risk of open-source code and libraries

Open-source libraries and free-to-use APIs have been widely adopted by the developer community thanks to their ease of access, flexibility, and collaboration among industry members. These tools provide a wide range of pre-developed functionalities, saving programmers time and effort on their projects. However, the widespread adoption of these resources has also led to an increase in the number of associated cyber risks.

According to a survey conducted by Synopsys, 97% of existing apps use at least one piece of an open-source project and 90% of corporations employ this type of resource in commercial products for the end public – whether B2B (corporate) or B2C (individual). The idea is to speed up the development pipeline by automating much of the developers' work through the use of existing functionality and features.

Unfortunately, cybercriminals have also picked up on this trend and are taking advantage of this scenario, thereby sounding the alarm for the need for more conscious open-source usage.

Poisoning the water well

A leading concern when it comes to using open-source libraries and APIs is the potential for unknown vulnerabilities and security breaches. Because of the open nature of these resources, anyone can contribute to the code, which means quality and security control is far from strict. An undetected vulnerability in an open-source library can be exploited by attackers to compromise the security of a system or application using it.

Another critical point is the complexity of dependencies between libraries and APIs. Often, a piece of software may depend on several open-source libraries, which in turn may depend on other libraries. This way, a chain of trust is created in which any vulnerability in one library can propagate to other parts of the system. Additionally, developers often fail to regularly update their libraries and dependencies, making the system vulnerable to known and patched threats.

Finally, malicious code inclusion remains a serious point of concern. While most contributions are legitimate and well-intentioned, a malicious developer may introduce compromised code into a library, spreading widely among users to poison projects. In addition, APIs can be exploited by criminals to launch code injection attacks, such as SQL injection or cross-site scripting (XSS), compromising system integrity.

Tips on best practices

Considering these risks, adopting security measures to mitigate cyber threats is critical. Some best practices include:

• Assessing the reputation and community of the developer of the library or API before adopting it;

• Keeping all libraries and dependencies up to date by regularly applying security patches;

• Performing security audits on the source code from open-source libraries;

• Implementing appropriate access control and authentication mechanisms in open APIs;

• Using static code analysis tools and vulnerability scanners to identify potential security issues;

• Establishing code review policies and rigorous testing for all libraries and APIs used.

By adopting a few simple measures, you can conscientiously and safely benefit from these resources, without putting your entire development pipeline at risk.