Open-Source Software Security: Trends for 2025
Introduction
Open-source software is ubiquitous in the tech world, and tools like software composition analysis can identify dependencies and secure them. However, working with open-source software presents security challenges compared to proprietary software.
Chris Hughes, chief security advisor at open-source software security startup Endor Labs, spoke to TechRepublic about the state of open-source software security today and where it might go in the next year.
Open-Source Security Trends for 2025
For his work, Hughes defined open-source software as software for which source code is freely available and can be used to build other projects, possibly with some restrictions. Last year, Harvard Business School found organizations would need to invest $8.8 trillion in technology and labor time to recreate the software used in business if open-source software wasn’t available.
The estimates are 70-90% of all applications have open source, and roughly 90% of those code bases are entirely made up of open source, Hughes said.
For 2025, Hughes predicts:
- Widespread open-source software adoption will be accompanied by increasingly sophisticated attacks on OSS by malicious actors.
- Organizations will continue to put foundational OSS governance in place.
- More companies will use open-source and commercial tools to help them start to understand their OSS consumption.
- Organizations will perform risk-informed consumption of OSS.
- Enterprises will continue to push for vendor transparency regarding what OSS they use in their products. However, no widespread mandates will arise for this process.
- AI will continue to impact application security and open source in various ways, including organizations using AI to analyze code and remediate issues.
- Attackers will target widely used OSS AI libraries, projects, and more to launch supply chain attacks on the OSS AI community and commercial vendors.
- AI code governance, where organizations have more visibility into AI models, will become more common.
How is AI Changing Open-Source Security?
In October 2024, the Open Source Initiative established a definition for open-source AI. According to the initiative, open-source AI has four key elements: the freedom to use, study, modify, and share the system for any purpose.
Hughes said that defining open-source AI was important because of the rise of distribution platforms like Hugging Face.
These AI models, especially the open-source ones, are widely used by many organizations and individuals around the world, Hughes said. So, we’re back to asking: What exactly is in this, and who contributed to it, and where is it from? And are there vulnerable components?
CISA Encourages Open-Source Software Development Security
In March 2024, CISA finalized the secure software development self-attestation form, meant for developers of software used by the U.S. federal government to confirm they use secure development practices.
Federal agencies may ask for other forms and attestations as well. On the commercial side, organizations may build similar requirements into their procurement processes. There is still an element of trust involved since the organization needs to trust the vendor will keep to their word. But the conversation is happening more often now than it did last year, in the wake of attacks on open-source utilities, Hughes said.
Solutions for the Future of Open-Source Software Security
Performing software composition analysis isn’t enough going into 2025, Hughes said. IT professionals and security professionals should know that as software becomes more complex, the number of vulnerabilities has grown “to where it’s becoming a tax on developers to even navigate what needs to be fixed and what order of priority,” Hughes said.
Companies like Endor Labs can provide insights on dependencies within open-source code, including indirect or transitive dependencies.
Being able to point to things like reachability and exploitability … could be a big benefit from the compliance perspective too, in terms of the burden on the organization and your development team, he said.
Conclusion
In conclusion, open-source software security is a critical concern for organizations, and the trends outlined above will continue to shape the landscape. As AI continues to impact application security and open source, it is essential for organizations to prioritize security and transparency in their software development and procurement processes.
FAQs
Q: What is open-source software?
A: Open-source software is software for which source code is freely available and can be used to build other projects, possibly with some restrictions.
Q: What are the trends for open-source software security in 2025?
A: According to Chris Hughes, chief security advisor at Endor Labs, widespread open-source software adoption will be accompanied by increasingly sophisticated attacks on OSS by malicious actors, and organizations will continue to put foundational OSS governance in place.
Q: How is AI changing open-source security?
A: AI will continue to impact application security and open source in various ways, including organizations using AI to analyze code and remediate issues, and attackers will target widely used OSS AI libraries, projects, and more to launch supply chain attacks on the OSS AI community and commercial vendors.
Q: What is CISA’s stance on open-source software development security?
A: In March 2024, CISA finalized the secure software development self-attestation form, meant for developers of software used by the U.S. federal government to confirm they use secure development practices.
