YouTube player

Endor Labs, in collaboration with 20 CISOs and technology veterans have identified the top 10 open source risks of 2023. They are:

1. Known vulnerabilities. – Where developers accidentally introduce a component that contains vulnerable code

2. Compromise of legitimate package. – This includes self compromise, where developers self sabotage their own packages in protest.

3. Name confusion attacks. – Such as typosquatting and dependency confusion

4. Unmaintained software

5. Outdated Software

6. Untracked dependencies – especially your transitive dependencies – your fourth and fifth parties

7. License risks

8. Immature Software

9. Unapproved changes  – This is especially for un-versioned resources that are downloaded from the internet

10. Under/over-sized dependency – where a component may provide very little functionality or a lot of functionality (of which only a fraction may be used)

This segment was created for the It’s 5:05 podcast