Open source code forms the foundations of a vast amount of enterprise software, web applications and even the code that powers consumer devices, from media players to cars.
But security, and open source, do not always go together. Vulnerabilities in code, or the deliberate manipulation of software components by malicious actors, causes real problems. And the use of open source technology has also contributed to software supply chain attacks, such as Log4J.
One recent research study found that as many as 96 per cent of vulnerabilities in open source software are because developers use an outdated, or unpatched version of the code.
And the number of software supply chain attacks, and other exploits against open source, have grown sharply.
Our guest this week argues that despite all this, open source can be secure.
It just needs developers, and the organisation they work for, to think about security throughout the software lifecycle. And CIOs and CISOs need a deeper understanding of where, and how, open source code is used across their systems,
Brian Fox is CTO and co-founder at Sonatype, and he spoke to editor Stephen Pritchard.
Listeners can also download the Sonatype State of Software Supply Chain report from their website.
Image by Markus Winkler from Pixabay
