Open Source Security at Risk From Poor Oversight

Open-source software has become a prime target in the escalating wave of cybersecurity threats. As attacks grow more sophisticated, the open-source community is racing to close critical security gaps and stop malicious code before it spreads.

With open-source code used in most commercial software, infection risks are rampant across most industries. It is indispensable and dangerously neglected, remarked Jason Soroko, senior fellow at certificate lifecycle management firm Sectigo.

“With 86% of codebases harboring vulnerabilities and a tripling in open source file counts over four years, modern applications have increased their attack surfaces without adequate oversight,” he told LinuxInsider.

He urged security teams to overhaul their strategies. Traditional package scanning misses over 20% of dependencies, exposing blind spots introduced by alternate coding practices and AI tools.

Soroko says several recent reports offer more than just a wake-up call. They issue a mandate for proactive governance.

Efforts to Tackle Open Source Threat Spike

Live patching and Linux security firm TuxCare’s 2025 Enterprise Linux and Open Source Landscape Report — available as a free download — bears out that prognosis. It uncovered three significant trends this year that sparked a wake-up call for security experts and software users on all platforms.

TuxCare Chief Revenue Officer Michael Canavan warned that there is a clear discrepancy between the perception of vulnerability levels and actual threats.

“The report’s numerous other findings also paint a picture of an open source and enterprise Linux space that’s experiencing ongoing innovation and disruption alongside ongoing security challenges,” he told LinuxInsider.

This 62-page report, released in February, was followed by another study showing how widespread malicious code has grown and is easily used against any target. Also released in February, researchers at application security firm Apiiro detected and analyzed thousands of malicious code instances in software repositories and packages, with new ones emerging daily.

The report described how millions of GitHub repositories were cloned and infected with malware loaders, according to Matan Giladi, a security researcher at Apiiro. Obfuscation is key in blocking attack detection.

“Obfuscation methods evolve continuously. Known obfuscation methods are numerous, each taking multiple forms, making detection and separation from benign code very challenging,” he told LinuxInsider.

Gaps in Perception Undermine Linux Security

One major revelation in the TuxCare report is the misalignment between security professionals’ perceptions. There is a significant disconnect between security professionals’ perceptions of vulnerability levels and the true threat landscape.

Roughly half of the respondents believed vulnerability volumes remained stable in 2024 compared to 2023. However, data shows a 25% increase overall and a staggering 12-fold increase in Linux-specific vulnerabilities. This underestimation can negatively impact security strategies, budget allocation, and incident response planning.

“Organizations must move beyond reactive thinking and implement continuous vulnerability scanning, threat intelligence integration, and transparent reporting. You can’t secure what you don’t accurately understand. The data show too many teams are still flying blind.” Canavan said.

The report noted a significant drop in confidence in open-source supply chain security — from 23.81% to 12.31%. This decline likely reflects increased awareness of supply chain attacks, such as the XZ backdoor incident, which had a broad impact and led 70% of organizations to review their open-source supply chain processes.

Canavan admitted that trust in open-source supply chains is eroding, and rightfully so. Organizations must adopt a zero-trust mindset with practices like Software Bill of Materials (SBOM) enforcement, routine dependency audits, and verified source code provenance.

Open source isn’t the problem; unverified and unmanaged consumption is. He urged treating software supply chain security with the same rigor as physical infrastructure.

More Key Findings in the TuxCare Cyber Report

The reliance on full automation in security processes dropped from 14.48% to 2.56%. This trend indicates a growing recognition of the necessity of human oversight alongside automation for effective security.

“Automation is essential, but it can’t replace judgment. The retreat from full automation reflects a necessary correction,” Canavan noted.

Human expertise is critical for vulnerability prioritization, patch validation, and incident response. Automation should handle the repetitive and scalable tasks, while humans should handle the ambiguous and strategic ones.

“The most resilient environments are those where both work in harmony,” he added.

The CrowdStrike incident and the discovery of the XZ Utils backdoor significantly raised awareness about software supply chain risks. CrowdStrike reportedly caused direct losses that could reach $5.4 billion to Fortune 500 companies, highlighting the significant financial consequences of security breaches. With 83.6% of respondents aware of the XZ occurrence, the perception of open-source security suffered serious harm.

Organizations are increasingly adopting AI for cost reduction (rising from 35% to 53%) rather than primarily for innovation (which has declined) — suggesting a maturing view of AI as a practical business tool focused on efficiency.

“As AI adoption shifts from innovation to cost efficiency, we’ll see growing enterprise demand for lightweight, purpose-built open-source AI tools that offer fast deployment and measurable ROI,” Canavan predicted.

“This pivot will also likely drive more targeted contributions to projects that optimize compute resources, streamline workflows, and simplify integration into existing enterprise stacks.”

New Tools Aim To Detect Malicious Code Early

Until now, CISOs had to pay significant costs to defend against malicious code, with organizations often investing hundreds of thousands of dollars annually. Apiiro hopes its two solutions, available at Github, change that scenario.

The first, Semgrep rules, detect dynamic code execution and obfuscation patterns found in most malicious code-reported incidents. It includes only rules with low false-positive rates and a strong correlation with malicious code. According to Giladi, this ruleset integrates with any CI/CD pipeline, enabling detection at any stage.

The second, Prevent, allows real-time monitoring of pull requests, enforcing policies, and triggering workflows. This tool works in conjunction with Semgrep.

“Existing workflows provide none or minimal coverage for these patterns, and those that do produce a huge amount of false positives,” Giladi said, referring to anti-patterns in malicious code.

He added that binary analysis tools detect malware in compiled code, and static analysis tools scan for vulnerabilities. However, it neither detects malicious code added to the source code nor its lifecycle.

“The closest are scanners for malicious code in open source, which might aid researchers but are impractical for organizations due to the high false positives ratio and limited coverage,” he said.

Reducing False Positives in Threat Detection

Apiiro’s research determined that the identified anti-patterns are rare in benign code. However, they also found some potential scenarios where legitimate code might exhibit these patterns. The company’s approach minimizes false positives.

According to Giladi, most false positives arise from detections of encoded data. Both are favorites of attackers and a topic with a significant lack of awareness.

“While it’s agreed that code should be readable, and encoded data is unreadable, many developers rely on outdated practices. Generally, adherence to established coding standards such as Google/Microsoft guidelines eliminates false positives,” he added.

Ubiquity of Open Source Raises Risk

The recent release of cybersecurity firm Black Duck’s Open Source Security and Risk Analysis (OSSRA) Report — available with a form fill — demonstrated how widespread open source code is. It is so ubiquitous that it can introduce significant risk unless adequately identified and managed.

The report found that 86% of commercial codebases evaluated contained open-source software vulnerabilities, and 81% contained high- or critical-risk vulnerabilities. Black Duck’s data shows that the number of open-source files in an average application tripled from more than 5,300 in 2020 to more than 16,000 in 2024.

Additional key findings include:

• 90% of audited codebases were found to have open-source components that were more than four years out of date.
• jQuery, a widely used JavaScript library, was the most frequent source of vulnerabilities, with eight of the top 10 high-risk vulnerabilities.
• Only 77% of dependencies could be identified via package manager scanning, suggesting that other means, including AI coding assistants, introduced the remainder. These blind spots lead to lingering unpatched vulnerabilities, outdated components, and license conflicts.
• 97% of the evaluated codebases contained open source, with an average of 911 OSS components found per application. From an industry perspective, the percentages ranged from 100% in the Computer Hardware and Semiconductors, EdTech, and Internet and Mobile Apps sectors to a “low” of 79% for Manufacturing, Industrials, and Robotics.

“The research findings indicate that adopting open-source software widely poses considerable security challenges. Many commercial codebases exhibit critically risky vulnerabilities, indicating a systemic problem,” said Eric Schwake, director of cybersecurity strategy at API security firm Salt Security.