Lineaje Report: 95% of App Vulnerabilities Come from Open-Source Dependencies

TL; DR: Lineaje’s recent report, “Crossing Boundaries: Breaking Trust?,” uncovers the hidden vulnerabilities in open-source software that make up 70% of modern applications. Senior VP and CISO of Lineaje, Nick Mistry, spoke with HostingAdvice about how unchecked and unverifiable open-source origins leave businesses exposed to risks and how they can secure it better without compromising innovation.

Ninety-five percent of vulnerabilities in applications come from open-source dependencies. And yet, many companies don’t even know where to look or how to address this issue.

Part of the problem lies in the fact that most open-source software is made up of dozens of layers, so verifying each component is time-consuming and, frankly, difficult. The other part is that many components and origins simply can’t be traced and verified.

Lineaje, a company focused on software supply chain security, recently released a report called “Crossing Boundaries: Breaking Trust?” that revealed that, while open-source software is crucial for modern development, it’s full of security gaps and hidden risks that are hard to detect by cybersecurity teams.

If the term cybersecurity makes your eyes roll, hang on for just a second.

Cybersecurity isn’t some overblown scare tactic companies use to sell products. These risks are real and widespread; they come in many forms, from simple spam bots to more complex threats hidden inside third-party applications.

Take the 2021 Log4Shell vulnerability in the open-source logging library. This flaw in the Java Naming and Directory Interface allowed attackers to execute commands on affected systems without any restrictions. The issue impacted millions of devices and prompted immediate widespread patches.

Lineaje’s Senior Vice President and Chief Information Security Officer, Nick Mistry, attributes the growing problem to the inability of businesses to understand exactly what software companies are outsourcing.

“Let’s say you build software using five open-source packages. Each of those five packages is made up of hundreds of others, and those hundreds of open-source packages may be made up of even more,” Nick explained. “Understanding this lineage is critical to understanding risks.”

And that brings us directly to the findings of Lineaje’s analytical report.

Did you know the typical mid-size application has contributions from several countries?

Developers in the United States contribute the most code to open-source projects (34%), followed by Russia (13%), Canada (9%), and the UK (7%).

Interestingly, though, the U.S. is also number one in providing anonymous open-source contributors, with 20.8% unknown. Behind the U.S. is Australia (18.8%), Canada (15.7%), and Brazil (14.7%).

So what does this mean? While anonymity can protect privacy and encourage participation, it also makes it harder to verify the origin of code.

So Lineaje’s report prompts a relevant question: How can you be sure that everything you’re integrating into your process is safe and trustworthy?

“The main problem is that you have to know everything that’s in your software to manage the risk,” said Nick. “But when you’re using these open-source tools, you often don’t know what’s in them. This lack of visibility means you can’t see all the vulnerabilities, so it’s harder to manage weaknesses or potential exploits.”

Unsurprisingly, hackers are taking advantage of the lack of visibility, either by targeting hidden vulnerabilities deep in the supply chain or by tampering with the code itself.

The real risk here, Nick said, is “that one change in the supply chain can affect thousands of companies. And this all happens without detection.”

The Cybersecurity and Infrastructure Security Agency (CISA) confirms that supply chain attacks are on the rise, and its Open Source Software Security Roadmap is a key effort to increase visibility into the widespread and harmful risks associated with open-source software.

Open-source software accounts for two to nine times more code than developers write themselves. And yet, 6.96% of open-source components are of unknown or questionable origin.

Lineaje made a great point in its report, so I’ll borrow it and repeat it here: We would not buy a $2 can of soup if 7% of ingredients were of dubious origin. Should your critical software contain known components of dubious origin?

I’ll go out on a limb and assume that most of us wouldn’t. So it begs the question: Why do developers?

To understand this, you have first to understand the concept of open-source. Open-source software is software anyone can use, modify, and share because its source code is 100% public.

About 96% of all code bases incorporate open-source software. Linux operating system, Firefox web browser, and WordPress are some of the most well-known examples.

The open-source supply chain refers to the networks and processes involved in creating, distributing, and maintaining open-source software.

But it’s a double-edged sword: The transparency that supports open-source innovation can also work against it. Tampered code and hidden vulnerabilities often slip several layers deep into the supply chain, so it’s easier to go unnoticed by developers.

In fact, Lineaje’s findings show a typical application relies on about 70% of open-source components.

Think about that for a second: The human body is 60% water; Earth’s surface is 70% water. Seventy percent is a significant portion that depends on third-party resources.

“Open-source is a huge global ecosystem that drives innovation, and we don’t want to stifle that. But that comes with the challenge of it being largely unregulated. It’s all based on trust,” Nick said. “The question is: How do we measure trustworthiness in open-source?”

It’s a good question. Modern open-source software often stacks 20 to 60 layers deep, basically blending code from numerous unknown sources, and each layer represents a potential vulnerability.

Think of it like a school with dozens of doors and windows. Each one needs to be checked and secured, and missing even one is an open invitation for someone to get inside and pose a threat.

“Attackers know how to exploit this lack of visibility,” Nick explained. “They either exploit vulnerabilities deep in the supply chain that most people don’t even know exist, or they actively tamper with the code, which then spreads across thousands of organizations.”

According to the report, a common issue is something called version sprawl. More than 15% of components in a typical application have multiple versions — and as you can probably imagine, this only complicates things for security management.

Automated tools can be incredibly helpful for tracking dependencies. But watch out for another catch-22, warned Nick.

“While AI presents opportunities, it also faces the same open-source risks we’re discussing here. So, the future will involve understanding those risks and balancing innovation with security,” he said. “Open-source is not going anywhere; it’s vital for innovation. The key is how businesses can manage open-source risks while still leveraging it to innovate and grow.”

The report stressed that automated tools that can perform dynamic risk monitoring are crucial for securing open-source software. In fact, Lineaje’s automatic detection tools found 71 out of 73 vulnerabilities in open-source software.

The report also introduced the concept of “the Goldilocks zone.” It suggests that the ideal number of contributors for creating the most secure open-source projects falls between 11 and 50, with vulnerability rates as low as 1%.

Does this mean that dev teams should only have between 11 and 50 contributors?

Not necessarily.

Nick stressed that it all comes down to managing trust: “It’s about understanding what’s in your software, validating it continuously, and using automation to do so without hindering development.”

So what can companies do? Well, that’s the million-dollar question. But Lineaje just may have the answer to it.

For more details on the solutions and steps you can take to stay secure, download Lineaje’s report for free here.