As organizations increasingly rely on open source software, associated security risks grow, demanding more robust and proactive risk management.
Our 2024 State of the Software Supply Chain report dives into these and other emerging challenges, particularly focusing on the concept of “Persistent Risk” — a term highlighting unresolved vulnerabilities and contamination risks within software supply chains.
Let’s explore a few insights from the report to better understand the evolution of open source risk and its associated security challenges.
Understanding Persistent Risk: A Dual Threat
“Persistent Risk” in open source software is a unique category of risk shaped by prolonged exposure to unresolved vulnerabilities.
We defined this concept based on our observations that ongoing, unresolved threats in software can degrade its security integrity over time.
Persistent Risk encompasses two main factors:
-
Unfixed Risk refers to known software vulnerabilities that remain unaddressed, posing a continuous threat. It includes the time needed to fix these issues. Unpatched vulnerabilities create a persistent pathway for exploitation, keeping software at risk.
-
Corrosive Risk involves vulnerabilities in current and past releases that need time to resolve, like Unfixed Risk. It also accounts for delays in detecting vulnerabilities in older versions, allowing risks to accumulate and gradually weaken the software’s security.
Unfixed and Corrosive Risk create Persistent Risk, like rust on metal — the longer vulnerabilities go unaddressed, the more they grow, leading to a decline in software resilience and increased vulnerability to breaches. This underscores the urgency for timely identification and resolution to prevent long-term security issues.
The 2024 report reveals a critical truth: components with Persistent Risk degrade over time, increasing the chance of systemic failures. Importantly, 95% of downloaded vulnerable components had a fix available, highlighting the need for proactive management.
Factors Influencing Persistent Risk
Three primary behaviors drive Persistent Risk within organizations:
