Open source, open risks

Paul Davis at JFrog considers how to build a safer software supply chain

 

Open source is the backbone of modern software development,  present in 96% of commercial programs and accelerating innovation across industries. According to Harvard Business School, without open source software, companies would pay roughly $8.8 trillion to build the software and platforms that run their business.

 

But as open source adoption grows, so do the risks, especially as attackers shift their focus to new targets like machine learning (ML) models. 

 

Over the last three years, software supply chain attacks have surged by 600%, with attackers increasingly targeting CI/CD pipelines, package managers, and public registries. More than 10 million individuals and 1,700 organisations were affected by open-source supply chain attacks in 2022 alone. The reality is clear: open source is indispensable, but it requires a new level of security vigilance.

 

Open source: a powerful tool that needs guardrails

While 82% of open source software components come with a level of inherent risk, such as unpatched vulnerabilities, maintenance challenges or quality issues, the emergence of open source ML models introduces a new layer of complexity. ML models are often large, opaque, and difficult to inspect, making them attractive targets for attackers seeking to embed hidden vulnerabilities or malicious code. Licensing issues and a lack of standardised review process further complicate the security landscape. 

 

Unlike traditional code libraries, ML models can be tough to audit and verify. Their complexity and size mean vulnerabilities can go unnoticed, and malicious actors can exploit these blind spots to infiltrate enterprise environments. As ML adoption accelerates, so does the need for robust security practices tailored to this emerging threat.

 

Priorities for developers and DevSecOps

Building secure software means weaving security into workflows without slowing down delivery. Here are three practical steps developers and DevSecOps teams can take: 

• Stay proactive about dependency management. Don’t let outdated libraries become a weak link. Make it a habit to regularly review, update, and, when necessary, replace dependencies to deal with vulnerabilities before they can be exploited.
• Automate dependency review. Leveraging automated policies paired with rich security databases can accelerate software velocity and simultaneously improve security by shifting the demand from manual resources to intelligent tools.
• Verify the integrity of binaries. Trust is essential, but it shouldn’t be blind. Always be sure to verify the authenticity of third-party binaries and artefacts you use in your environment. This reduces the risk of including malicious or compromised packages in your pipeline.
• Embrace continuous monitoring. Automated vulnerability scanning integrated into your CI/CD pipelines allows you to catch security issues early. A continuous approach makes security part of the development rhythm, not an afterthought. 

Many organisations are also rethinking their systems infrastructure to place a more secure buffer between developers and registries on the public internet. By using a central, curated repository that proxies public registries for all software artefacts, containers, and even ML models, teams have a single point of control where they can apply consistent security checks, curation, and scanning before components enter pipelines.

 

This ultimately simplifies the developer experience and strengthens security across the entire software supply chain.

 

The next frontier: open-source ML models

Developers might be more familiar with securing code libraries and binaries than they once were, but a new challenge has arrived: open-source machine learning models. ML models are often large and opaque, contain licensing challenges, and can contain hidden vulnerabilities that have been planted by malicious actors.

 

Unlike traditional code, ML models can be tougher to inspect, making them an attractive target for attackers looking to sneak into enterprise environments with harmful code. It’s essential to treat ML models the same way as other software artefacts, including scanning them for vulnerabilities, verifying where they came from, and securely storing them before they’re deployed.

 

Building a secure future for open source

Securing the software supply chain is more than a technical challenge. It’s a mindset shift for how teams approach development. Simply put, security can’t be a final checkpoint before release; it needs to be present at every stage, from the moment a dependency is considered to the final deployment in production.

 

By proactively curating dependencies, verifying binaries, scanning continuously, and managing ML models responsibly, dev teams can help close the gaps that attackers are just waiting to exploit. Centralising security checks can simplify this process, reducing risks while maintaining the speed modern development requires.

 

By making security a core part of the development DNA, teams can continue to innovate quickly while protecting their organisation, their users, and the broader digital ecosystem.

 

---

 

Paul Davis is Field CISO at JFrog

 

Main image courtesy of iStockPhoto.com and TU IS