Endor Labs, in collaboration with 20 CISOs and technology veterans have identified the top 10 open source risks of 2023. They are:
1. Known vulnerabilities. – Where developers accidentally introduce a component that contains vulnerable code
2. Compromise of legitimate package. – This includes self compromise, where developers self sabotage their own packages in protest.
3. Name confusion attacks. – Such as typosquatting and dependency confusion
4. Unmaintained software
5. Outdated Software
6. Untracked dependencies – especially your transitive dependencies – your fourth and fifth parties
7. License risks
8. Immature Software
9. Unapproved changes – This is especially for un-versioned resources that are downloaded from the internet
10. Under/over-sized dependency – where a component may provide very little functionality or a lot of functionality (of which only a fraction may be used)
https://www.endorlabs.com/blog/top-10-oss-risks-press-release
This segment was created for the It’s 5:05 podcast