Report: Endor Labs Identifies 2023 Operational, Security Risks To Open Source

Endor Labs, along with 20 other technology veterans have outlined the top 10 open source software risks of 2023. The authors hope to provide a gold standard for gauging open source risks.

Tags: dependencies, Endor Labs, open source, risk, security. vulnerabilities,

Endor Labs, a firm that focuses on creating secure open source supply chain, has released its Top 10 Open Source Software [OSS] Risks for 2023.


This year’s list includes both operational and security threats. Among the topics are: known security vulnerabilities; name confusion attacks; and how outdated, unmaintained, or immature software present operational risks.


Endor Labs, along with 20 other technology veterans have outlined the top 10 open source software risks of 2023. The authors hope to provide a gold standard for gauging open source risks. The report also outlines risks introduced through the dependency on open source components throughout the software development process.


The report does not look to criticize the exploding use of open source, according to its “Methodology” section. 


Rather, the report is a type of ‘word-to-the-wise’ or a ‘warning shot’ to those who adopt open source as a core component of their software or SaaS offerings. Adopters are also managers -- and they need to vigilant.  


The Endor Labs report puts it this way:

80% of code in modern applications is code you didn’t write but rely on through open source packages. Open source has clearly won as the method to deliver incredible value quickly, while leveraging the work of others, and hopefully contributing back so that others may benefit from your work as well.


This list aims at addressing operational as well as security risks.


This report does not mean to criticize open source projects. . . .Once an organization decides to rely on open source code, its security becomes their responsibility.

The 2023 Endor Labs Top 10 OSS risks include: ‍


OSS-RISK-1 - Known Vulnerabilities: A component version may contain vulnerable code, accidentally introduced by its developers. Vulnerability details are publicly disclosed, e.g., through a CVE. Exploits and patches may or may not be available.


OSS-RISK-2 - Compromise of Legitimate Package: Attackers may compromise resources that are part of an existing legitimate project or of the distribution infrastructure in order to inject malicious code into a component, e.g., through hijacking the accounts of legitimate project maintainers or exploiting vulnerabilities in package repositories.


OSS-RISK-3 - Name Confusion Attacks: Attackers may create components whose name resemble names of legitimate open-source or system components (typo-squatting), suggest trustworthy authors (brand-jacking) or play with common naming patterns in different languages or ecosystems (combo-squatting).


OSS-RISK-4 - Unmaintained Software: A component or component version may not be actively developed any more, thus, patches for functional and non-functional bugs may not be provided in a timely fashion (or not at all) by the original open source project. 


OSS-RISK-5 - Outdated Software: A project may use an old, outdated version of the component (though newer versions exist).


OSS-RISK-6 - Untracked Dependencies: Project developers may not be aware of a dependency on a component at all, e.g., because it is not part of an upstream component’s SBOM, because SCA tools are not run or do not detect it, or because the dependency is not established using a package manager.


OSS-RISK-7 - License Risk: A component or project may not have a license at all, or one that is incompatible with the intended use or whose requirements are not or cannot be met.


OSS-RISK-8 - Immature Software: An open source project may not apply development best-practices, e.g., not use a standard versioning scheme, or have no regression test suite, or review guidelines or documentation. As a result, a component may not work reliably or securely.


OSS-RISK-9 - Unapproved Changes (mutable): A component may change without developers being able to notice, review or approve such changes, e.g., because the download link points to an unversioned resource, because a versioned resource has been modified or tampered with or due to an insecure data transfer.


OSS-RISK-10 - Under/over-sized Dependency: A component may provide very little functionality (e.g., npm micro packages) or a lot of functionality (of which only a fraction may be used).


Henrik Plate, lead security researcher at Endor Labs notes that as 2022-2023 shows a broadening scope of open source deployment, a review of risks to open source use is also important. 


In part Plate said:

“Just as the OWASP Top 10 has become the definitive list of web application security risks, the Endor Labs Station 9 report is designed to serve as a standard for gauging open source risks, [O]pen source software comes ‘as-is,’ without warranties of any kind, and any risk of using it being solely on downstream users. That’s exactly why the industry should be aware of these risks.”


The majority of the code in new applications comes from open source components, and it’s clear that such heavy dependence on open source also implies serious risks. 


This report covers both operational and security issues to highlight the top 10 risks associated with the consumption of open source components, all leading to problems that can compromise systems, enable data breaches, undermine compliance or hamper availability.

We believe it offers an unprecedented and critical dive into the complexities of open source software reuse.”

Notably, Endor’s 2023 OSS risk list includes contributions from HashiCorp, Adobe, Palo Alto Networks, and Discord.  Endor Labs is the creator of the Dependency Lifecycle Management platform

Endor Labs Brings Conversation AI to OSS Risk Management

Endor Labs is also bringing the power of ChatGPT to open source risk management.


The company is debuting DroidGPT, which combines the power of ChatGPT with Endor Labs' proprietary risk data. The goal is to help users quickly and easily research open source software (OSS) packages in a conversational manner.


Developers using DroidGPT can log onto OSS Explorer within the Endor Labs platform, ask questions like "what are the best logging packages for Java," and receive instant answers.


All results are overlaid with risk scores revealing the quality, popularity, trustworthiness, and security of each package.


Endor Labs designed DriodGPT to provide several benefits, including:


Conversational Interface: Users can ask questions naturally and receive accurate and detailed answers, making their research process more efficient and enjoyable.


Data-Driven Insights: Endor Labs' risk scores offer a comprehensive evaluation of OSS packages, considering factors such as quality, popularity, and security.


Informed Decision-Making: The integration of DroidGPT’s AI-driven answers with real-world risk data empowers developers to make the best decisions when selecting open source software packages.


To give a flavor for using the conversational AI add-on, here are some specific questions developers can ask DroidGPT.

  • “What packages in Go have a similar function as log4j?”
  • “What packages are similar to go-memdb?”
  • "Which Go packages have the least known vulnerabilities?"


Interested developers can request to join the DroidGPT private beta