{"id":44618,"date":"2023-02-22T13:18:28","date_gmt":"2023-02-22T13:18:28","guid":{"rendered":"https:\/\/mailinvest.blog\/index.php\/2023\/02\/22\/open-source-software-supply-chain-has-security-risks-the-register\/"},"modified":"2023-02-22T13:19:26","modified_gmt":"2023-02-22T13:19:26","slug":"open-source-software-supply-chain-has-security-risks-the-register","status":"publish","type":"post","link":"https:\/\/mailinvest.blog\/index.php\/2023\/02\/22\/open-source-software-supply-chain-has-security-risks-the-register\/","title":{"rendered":"Open source software supply chain has security risks \u2022 The Register"},"content":{"rendered":"<p> <a href=\"https:\/\/go.fiverr.com\/visit\/?bta=1052423&nci=17043\" Target=\"_Top\"><img loading=\"lazy\" decoding=\"async\" border=\"0\" src=\"https:\/\/mailinvest.blog\/wp-content\/themes\/breek\/assets\/images\/transparent.gif\" data-lazy=\"true\" data-src=\"https:\/\/fiverr.ck-cdn.com\/tn\/serve\/?cid=40081059\"  width=\"601\" height=\"201\"><\/a>\n<\/p>\n<div id=\"body\">\n<p><span class=\"label\">Evaluation<\/span> Open supply parts play an more and more central function within the software program improvement scene, proving to be a boon in a time of steady integration and deployment, DevOps, and each day software program updates.<\/p>\n<p>In a report final 12 months, silicon design automation outfit Synopsys discovered that 97 p.c of codebases in 2021 contained open supply, and that in 4 of 17 industries studied \u2013 laptop {hardware} and chips, cybersecurity, vitality and clear tech, and the Web of Issues (IoT) \u2013 open supply software program (OSS) was in 100% of audited codebases. The opposite verticals had open supply in not less than 93 p.c of theirs.<\/p>\n<p>It could assist drive effectivity, value financial savings, and developer productiveness.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"condor\" data-xsm=\",fluid,mpu,\" data-sm=\",fluid,mpu,\" data-md=\",fluid,mpu,\">\n        <noscript><br \/>\n            <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Y-YWJNXWbfDv3zFTFTeiwAAAAEo&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" target=\"_blank\" rel=\"noopener\"><br \/>\n                <img decoding=\"async\" src=\"https:\/\/mailinvest.blog\/wp-content\/themes\/breek\/assets\/images\/transparent.gif\" data-lazy=\"true\" data-src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Y-YWJNXWbfDv3zFTFTeiwAAAAEo&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" alt=\"\"\/><br \/>\n            <\/a><br \/>\n        <\/noscript>\n    <\/div>\n<p>&#8220;Open supply actually is in all places,&#8221; Fred Bals, senior technical author at Synopsys, wrote in a <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/www.synopsys.com\/blogs\/software-security\/open-source-trends-ossra-report\/\">blog post<\/a> concerning the report.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"falcon\" data-xmd=\",fluid,mpu,leaderboard,\" data-lg=\",fluid,mpu,leaderboard,\" data-xlg=\",fluid,billboard,superleaderboard,mpu,leaderboard,\" data-xxlg=\",fluid,billboard,superleaderboard,brandwidth,brandimpact,leaderboard,mpu,\">\n            <noscript><br \/>\n                <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44Y-YWJNXWbfDv3zFTFTeiwAAAAEo&amp;t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"><br \/>\n                    <img decoding=\"async\" src=\"https:\/\/mailinvest.blog\/wp-content\/themes\/breek\/assets\/images\/transparent.gif\" data-lazy=\"true\" data-src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44Y-YWJNXWbfDv3zFTFTeiwAAAAEo&amp;t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" alt=\"\"\/><br \/>\n                <\/a><br \/>\n            <\/noscript>\n        <\/div>\n<div class=\"adun_eagle_desktop_story_wrapper\">\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"mid\" data-raptor=\"eagle\" data-xxlg=\",mpu,dmpu,\">\n                <noscript><br \/>\n                    <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33Y-YWJNXWbfDv3zFTFTeiwAAAAEo&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"><br \/>\n                        <img decoding=\"async\" src=\"https:\/\/mailinvest.blog\/wp-content\/themes\/breek\/assets\/images\/transparent.gif\" data-lazy=\"true\" data-src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33Y-YWJNXWbfDv3zFTFTeiwAAAAEo&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" alt=\"\"\/><br \/>\n                    <\/a><br \/>\n                <\/noscript>\n            <\/div>\n<\/p><\/div>\n<p>That stated, the rising use of open supply packages in utility improvement additionally creates a path for risk teams that need to use the software program provide chain as a backdoor to myriad targets that depend upon it.<\/p>\n<p>The broad use of OSS packaging in improvement signifies that typically enterprises do not know precisely what&#8217;s of their software program. Having a number of completely different palms concerned will increase complexity, and it is exhausting to know what is going on on within the software program provide chain. A <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/tanzu.vmware.com\/content\/ebooks\/state-of-software-supply-chain-2022\">report<\/a> final 12 months from VMware discovered that issues about OSS included having to depend on a neighborhood to patch vulnerabilities, and the safety dangers that include that.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"falcon\" data-xsm=\",fluid,mpu,\" data-sm=\",fluid,mpu,\" data-md=\",fluid,mpu,\">\n            <noscript><br \/>\n                <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44Y-YWJNXWbfDv3zFTFTeiwAAAAEo&amp;t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"><br \/>\n                    <img decoding=\"async\" src=\"https:\/\/mailinvest.blog\/wp-content\/themes\/breek\/assets\/images\/transparent.gif\" data-lazy=\"true\" data-src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44Y-YWJNXWbfDv3zFTFTeiwAAAAEo&amp;t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" alt=\"\"\/><br \/>\n                <\/a><br \/>\n            <\/noscript>\n        <\/div>\n<p>Varun Badhwar, co-founder and CEO of Endor Labs \u2013 a startup working to safe OSS in app improvement \u2013 <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/www.businesswire.com\/news\/home\/20221208005272\/en\/Endor-Labs-Unveils-New-Research-on-Impact-of-Open-Source-Software-on-Supply-Chain-Security\">called it<\/a> &#8220;the spine of our essential infrastructure.&#8221; However he added that builders and executives are sometimes shocked by how a lot of their functions&#8217; code comes from OSS.<\/p>\n<p>Badhwar famous that 95 p.c of all vulnerabilities are present in &#8220;transitive dependencies&#8221; \u2013 open supply code packages which can be not directly pulled into initiatives moderately than chosen by builders.<\/p>\n<p>&#8220;It is a large area, but it has been largely ignored,&#8221; he warned.<\/p>\n<h3 class=\"crosshead\">Rising consciousness of the risk<\/h3>\n<p>The pattern towards utilizing OSS packages is not new. Builders have been doing it for a dozen years or extra, in response to Brian Fox, co-founder and CTO at software program provide chain administration vendor Sonatype and a member of the OpenSSF (Open Supply Safety Basis) governing board.<\/p>\n<p>Builders pull the supply parts collectively and add enterprise logic, Fox advised <i>The Register<\/i>. This fashion, open supply turns into the muse of the software program.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" id=\"story_eagle_xsm_sm_md_xmd_lg_xlg\" data-pos=\"mid\" data-raptor=\"eagle\" data-xsm=\",mpu,dmpu,\" data-sm=\",mpu,dmpu,\" data-md=\",mpu,dmpu,\" data-xmd=\",mpu,dmpu,\" data-lg=\",mpu,dmpu,\" data-xlg=\",mpu,dmpu,\">\n            <noscript><br \/>\n                <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33Y-YWJNXWbfDv3zFTFTeiwAAAAEo&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"><br \/>\n                    <img decoding=\"async\" src=\"https:\/\/mailinvest.blog\/wp-content\/themes\/breek\/assets\/images\/transparent.gif\" data-lazy=\"true\" data-src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33Y-YWJNXWbfDv3zFTFTeiwAAAAEo&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" alt=\"\"\/><br \/>\n                <\/a><br \/>\n            <\/noscript>\n        <\/div>\n<p>What&#8217;s modified in recent times is the overall consciousness of it \u2013 not solely amongst well-meaning builders which can be creating the software program from these disparate elements.<\/p>\n<p>&#8220;The attackers have figured this out as nicely,&#8221; he stated. &#8220;An enormous notable change during the last 5 or so years has been the rise of intentional malware assaults on the availability chain.&#8221;<\/p>\n<p>That got here to the fore with the <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2022\/11\/04\/solarwinds_settlement_sec_enforcement\/\" rel=\"noopener\">SolarWinds breach<\/a> in 2020, through which miscreants linked to Russia broke into the agency&#8217;s software program system and slipped in malicious code. Clients who unknowingly downloaded and put in the code throughout the replace course of had been then compromised. Comparable assaults adopted \u2013 together with Kaseya and, most notably, <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2022\/11\/16\/iranian_cyberspies_log4j\/\" rel=\"noopener\">Log4j<\/a>.<\/p>\n<h3 class=\"crosshead\">Getting the image by way of Log4j<\/h3>\n<p>The Java-based logging device is an instance of the huge consolidation of threat that comes with the broad use of in style parts in software program, Fox argued.<\/p>\n<p>&#8220;It is a easy part manner down [in the software] and it was so in style you&#8217;ll be able to mainly stipulate it exists in each Java utility \u2013 and you&#8217;d be proper 99.99 p.c of the time,&#8221; he stated. &#8220;As an attacker \u2026 you are going to give attention to these kinds of issues. Should you can work out methods to exploit it, it makes it potential to &#8216;spray and pray&#8217; throughout the web \u2013 versus within the &#8217;90s, once you needed to sit down and work out methods to break every bespoke net utility as a result of all of them had customized code.&#8221;<\/p>\n<p>Enterprises have &#8220;successfully outsourced 90 p.c of your improvement to individuals you do not know and may&#8217;t belief. After I put it that manner, it sounds scary, however that is what&#8217;s been taking place for ten years. We&#8217;re simply now grappling with the implications of it.&#8221;<\/p>\n<p>Log4j additionally highlighted one other situation inside the software program provide chain and woke many as much as how dependent they&#8217;re on OSS. Even so, an estimated 29 p.c of downloads of Log4j are nonetheless of the susceptible variations.<\/p>\n<p>In keeping with evaluation by Sonatype, the vast majority of the time that an organization makes use of a susceptible model of any part, a hard and fast model of the part is accessible \u2013 however they don&#8217;t seem to be utilizing it. That factors to a necessity for extra schooling, in response to Fox. &#8220;96 p.c of the issue is individuals maintain taking the contaminated meals off the shelf as an alternative of taking a cleaned-up one.&#8221;<\/p>\n<h3 class=\"crosshead\">Focusing on the repositories<\/h3>\n<p>There may be one other rising risk associated to OSS: the injection of malware into bundle repositories like GitHub, <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2023\/01\/04\/pypi_pytorch_dependency_attack\/\" rel=\"noopener\">Python Package Index<\/a> (PyPI), and <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2022\/08\/11\/npm_pypi_security\/\" rel=\"noopener\">NPM<\/a>. Cybercriminals are creating malicious variations of in style code by way of dependency confusion and different methods to trick builders into placing the code into their software program.<\/p>\n<p>They might use an underscore as an alternative of a touch of their code, in hopes of complicated builders into grabbing the improper part.<\/p>\n<p>&#8220;The problem with that is that the assault occurs as quickly because the developer downloads that part and these downloads occur by the instruments,&#8221; Fox stated. &#8220;It is not like they&#8217;re actually going to a browser and downloading it just like the previous days, however they&#8217;re placing it into their device and it occurs behind the scenes and it would execute this malware.<\/p>\n<p>&#8220;The sophistication of the assaults is low and these malware parts do not even typically faux to be a respectable part. They do not compile. They don&#8217;t seem to be going to run the take a look at. All they do is ship the payload. It is like a smash-and-grab.&#8221;<\/p>\n<h3 class=\"crosshead\">Defenses are going up<\/h3>\n<p>Regardless of the safety dangers inherent in OSS, there are benefits to utilizing it. It is extra seen and clear than business software program, Fox argued. He pointed to the response to the Log4j vulnerabilities: the group engaged on Log4j rotated a repair inside a number of days \u2013 one thing business organizations would doubtless not have been capable of do.<\/p>\n<p>Mike Parkin, senior technical engineer at Vulcan Cyber, agreed that the open supply mannequin of getting extra eyes on the code may also help mitigate cyber threats, but it surely additionally makes it simpler for potential attackers.<\/p>\n<p>That stated, &#8220;traditionally the tradeoff has often favored the open supply builders,&#8221; Parkin advised <i>The Register<\/i>.<\/p>\n<p>The SolarWinds assault put a number of give attention to software program provide chain safety. Constructing on US president Biden&#8217;s 2021 Cybersecurity Govt Order, the White Home in September 2022 <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/www.whitehouse.gov\/wp-content\/uploads\/2022\/09\/M-22-18.pdf\">ordered<\/a> [PDF] federal companies to <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2022\/09\/14\/white_house_software_security_guidance\/\" rel=\"noopener\">follow<\/a> NIST pointers when utilizing third-party software program \u2013 together with self-attestation and software program payments of supplies (SBOMs) by the software program makers.<\/p>\n<p>There&#8217;s a broad array of <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2023\/02\/05\/supply_chain_security_efforts\/\" rel=\"noopener\">efforts<\/a> in practice by distributors seeking to harden the safety of the software program provide chain. These embody the rise of multi-vendor frameworks just like the Open Software program Provide Chain Assault Reference, instruments just like the Vulnerability Exploitability Alternate (VEX), and different merchandise being developed by cybersecurity distributors.<\/p>\n<p>Nonetheless, there are different steps Sonatype&#8217;s Fox wish to see \u2013 like requiring software program makers to recall faulty software program parts. Proper now, they&#8217;re made to work up an SBOM. Fox in contrast that to automotive producers solely having to provide consumers an inventory of auto elements, which may then be caught right into a glove field and forgotten, and not using a accountability to recall the automotive if any of these elements are faulty.<\/p>\n<p>&#8220;What we actually want is one thing to mainly mandate that they&#8217;ll do a recall, as a result of that suggests that they know all of the elements and the place they ship them and which variations of the functions have which open supply dependencies, but it surely additionally means they&#8217;re truly managing it and searching for that,&#8221; he stated. &#8220;That drives you in direction of that correct conduct.&#8221;<\/p>\n<p>Fox needs the give attention to truly sustaining the OSS packages. There may be some motion by governments in that route, he stated, noting that the EU&#8217;s Cyber Resilience Act talks concerning the want for remembers, even when it would not use the precise phrases. Fox stated the Biden administration could also be beginning to heat as much as the thought.<\/p>\n<p>He is also broaching the thought of component-level firewalls that work in methods just like packet-level firewalls, which may examine community site visitors and block malicious site visitors earlier than an assault can start. Likewise, a component-level firewall might cease malicious code earlier than it compromises the software program.<\/p>\n<p>&#8220;Should you do not even know what&#8217;s in your software program to start out with, you most likely haven&#8217;t any visibility into what is going on on with the malware, which is nearly a worse drawback as a result of it is not simply the vulnerability that is latent, ready for someone to use,&#8221; he stated. &#8220;It is inflicting hurt the second you contact it. Not sufficient persons are actually getting their head round that a part of the issue both.&#8221;<\/p>\n<p>Sonatype constructed that functionality into its platform with the Nexus Firewall, which Fox stated was modeled after bank card fraud safety. The firewall understands what regular conduct seems to be like after which, utilizing synthetic intelligence and machine studying methods, can detect irregular conduct. In 2022, the firewall flagged greater than 108,000 malicious assault makes an attempt.<\/p>\n<p>&#8220;So many organizations do not even know that it is a drawback,&#8221; he stated. &#8220;It is the place the sport is occurring proper now and the attackers are type of having a discipline day, sadly.&#8221;<\/p>\n<p>A mix of SBOM and firewall-like capabilities is required.<\/p>\n<p>&#8220;Sure, you must know the place all these elements are, so when the following Log4j occurs, you&#8217;ll be able to remediate it instantly and never have to start out triaging 1000&#8217;s of functions,&#8221; Fox argued. &#8220;However that is not going to cease these malicious assaults. You additionally have to be good defending the manufacturing unit.&#8221; \u00ae<\/p>\n<\/p><\/div>\n<iframe data-lazy=\"true\" data-src=\"https:\/\/www.fiverr.com\/gig_widgets?id=U2FsdGVkX18x7XQvttUTrv1oEqmGNGTgvvCUiUoJ\/AP4z\/UyMz8lXGOLpu15jIMxBbTR0gmD5uBoFvhC4KWeALQRp3h\/X\/AwcVD0K8Wj9H\/ZzYKzcCNHosB9oS4SCJJFWiN85P9ICAc4OgCoE\/wHKIY7CDkf2\/DQ1vqGvk4smVe5cRDEmrLPCWi4FC8p40VUhSmWQ5udCm0zoJtorgWv3vbDQw0kKYkwn39ozAnQXDe+YvWMxkLFWA+O3TFwkJvdkIK+\/AUSnRssPKt5WHY0FhNOxnSPcLslEL4G4\/RfP95ve99U+kRnDy3X+KtzdQLY+u935ghON\/o3UE4IMv9oN6JX9RnxzL\/LRcOgnHigxStSGPKsZYtnz8RWNVT\/rOLAibqiWJadC5MYHRbekF3eg6FOGrQGkXYbsn0+a5aovnlLCbLwIqY9fcS17UX8J235iQ6cdmHNbrPeS84CMm34RA==&affiliate_id=1052423&strip_google_tagmanager=true\" loading=\"lazy\" data-with-title=\"true\" class=\"fiverr_nga_frame\" frameborder=\"0\" height=\"350\" width=\"100%\" referrerpolicy=\"no-referrer-when-downgrade\" data-mode=\"random_gigs\" onload=\" var frame = this; var script = document.createElement('script'); script.addEventListener('load', function() { window.FW_SDK.register(frame); }); script.setAttribute('src', 'https:\/\/www.fiverr.com\/gig_widgets\/sdk'); document.body.appendChild(script); \" ><\/iframe>\n<br \/><a href=\"https:\/\/go.theregister.com\/feed\/www.theregister.com\/2023\/02\/22\/open_software_supply_chain_risks\/\">Source link <\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Evaluation Open supply parts play an more and more central function within the software program improvement scene, proving to be a boon in a time&#8230;<\/p>\n","protected":false},"author":1,"featured_media":20462,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[],"class_list":["post-44618","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-tech-universe"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Open source software supply chain has security risks \u2022 The Register - mailinvest.blog<\/title>\n<meta name=\"description\" content=\"Technology is forever changing, and there are always new pieces of technology to replace obsolete ones. Tons of people enjoy reading tech blogs on a daily basis.mailinvest.blog tracks all the latest consumer technology breakthroughs and shows you what&#039;s new, what matters and how technology can enrich your life. mailinvest.blog also provides the information, tools, and advice that helps when deciding what to buy.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/mailinvest.blog\/index.php\/2023\/02\/22\/open-source-software-supply-chain-has-security-risks-the-register\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Open source software supply chain has security risks \u2022 The Register - mailinvest.blog\" \/>\n<meta property=\"og:description\" content=\"Technology is forever changing, and there are always new pieces of technology to replace obsolete ones. Tons of people enjoy reading tech blogs on a daily basis.mailinvest.blog tracks all the latest consumer technology breakthroughs and shows you what&#039;s new, what matters and how technology can enrich your life. mailinvest.blog also provides the information, tools, and advice that helps when deciding what to buy.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/mailinvest.blog\/index.php\/2023\/02\/22\/open-source-software-supply-chain-has-security-risks-the-register\/\" \/>\n<meta property=\"og:site_name\" content=\"mailinvest.blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/freelanceracademic\/\" \/>\n<meta property=\"article:published_time\" content=\"2023-02-22T13:18:28+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-02-22T13:19:26+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/mailinvest.blog\/wp-content\/uploads\/2022\/12\/shutterstock_broken_link.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"650\" \/>\n\t<meta property=\"og:image:height\" content=\"450\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"admin@mailinvest.blog\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"admin@mailinvest.blog\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/mailinvest.blog\\\/index.php\\\/2023\\\/02\\\/22\\\/open-source-software-supply-chain-has-security-risks-the-register\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/mailinvest.blog\\\/index.php\\\/2023\\\/02\\\/22\\\/open-source-software-supply-chain-has-security-risks-the-register\\\/\"},\"author\":{\"name\":\"admin@mailinvest.blog\",\"@id\":\"https:\\\/\\\/mailinvest.blog\\\/#\\\/schema\\\/person\\\/012701c4c204d4e4ebd34f926cfd31a4\"},\"headline\":\"Open source software supply chain has security risks \u2022 The Register\",\"datePublished\":\"2023-02-22T13:18:28+00:00\",\"dateModified\":\"2023-02-22T13:19:26+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/mailinvest.blog\\\/index.php\\\/2023\\\/02\\\/22\\\/open-source-software-supply-chain-has-security-risks-the-register\\\/\"},\"wordCount\":1788,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/mailinvest.blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/mailinvest.blog\\\/index.php\\\/2023\\\/02\\\/22\\\/open-source-software-supply-chain-has-security-risks-the-register\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/mailinvest.blog\\\/wp-content\\\/uploads\\\/2022\\\/12\\\/shutterstock_broken_link.jpg\",\"articleSection\":[\"Tech Universe\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/mailinvest.blog\\\/index.php\\\/2023\\\/02\\\/22\\\/open-source-software-supply-chain-has-security-risks-the-register\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/mailinvest.blog\\\/index.php\\\/2023\\\/02\\\/22\\\/open-source-software-supply-chain-has-security-risks-the-register\\\/\",\"url\":\"https:\\\/\\\/mailinvest.blog\\\/index.php\\\/2023\\\/02\\\/22\\\/open-source-software-supply-chain-has-security-risks-the-register\\\/\",\"name\":\"Open source software supply chain has security risks \u2022 The Register - mailinvest.blog\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/mailinvest.blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/mailinvest.blog\\\/index.php\\\/2023\\\/02\\\/22\\\/open-source-software-supply-chain-has-security-risks-the-register\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/mailinvest.blog\\\/index.php\\\/2023\\\/02\\\/22\\\/open-source-software-supply-chain-has-security-risks-the-register\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/mailinvest.blog\\\/wp-content\\\/uploads\\\/2022\\\/12\\\/shutterstock_broken_link.jpg\",\"datePublished\":\"2023-02-22T13:18:28+00:00\",\"dateModified\":\"2023-02-22T13:19:26+00:00\",\"description\":\"Technology is forever changing, and there are always new pieces of technology to replace obsolete ones. Tons of people enjoy reading tech blogs on a daily basis.mailinvest.blog tracks all the latest consumer technology breakthroughs and shows you what's new, what matters and how technology can enrich your life. mailinvest.blog also provides the information, tools, and advice that helps when deciding what to buy.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/mailinvest.blog\\\/index.php\\\/2023\\\/02\\\/22\\\/open-source-software-supply-chain-has-security-risks-the-register\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/mailinvest.blog\\\/index.php\\\/2023\\\/02\\\/22\\\/open-source-software-supply-chain-has-security-risks-the-register\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/mailinvest.blog\\\/index.php\\\/2023\\\/02\\\/22\\\/open-source-software-supply-chain-has-security-risks-the-register\\\/#primaryimage\",\"url\":\"https:\\\/\\\/mailinvest.blog\\\/wp-content\\\/uploads\\\/2022\\\/12\\\/shutterstock_broken_link.jpg\",\"contentUrl\":\"https:\\\/\\\/mailinvest.blog\\\/wp-content\\\/uploads\\\/2022\\\/12\\\/shutterstock_broken_link.jpg\",\"width\":650,\"height\":450},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/mailinvest.blog\\\/index.php\\\/2023\\\/02\\\/22\\\/open-source-software-supply-chain-has-security-risks-the-register\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/mailinvest.blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Open source software supply chain has security risks \u2022 The Register\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/mailinvest.blog\\\/#website\",\"url\":\"https:\\\/\\\/mailinvest.blog\\\/\",\"name\":\"mailinvest.blog\",\"description\":\"Technology is forever changing, and there are always new pieces of technology to replace obsolete ones. Tons of people enjoy reading tech blogs on a daily basis. mailinvest.blog tracks all the latest consumer technology breakthroughs and shows you what&#039;s new, what matters and how technology can enrich your life. mailinvest.blog also provides the information, tools, and advice that helps when deciding what to buy.\",\"publisher\":{\"@id\":\"https:\\\/\\\/mailinvest.blog\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/mailinvest.blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/mailinvest.blog\\\/#organization\",\"name\":\"mailinvest\",\"url\":\"https:\\\/\\\/mailinvest.blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/mailinvest.blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/mailinvest.blog\\\/wp-content\\\/uploads\\\/2022\\\/01\\\/default.png\",\"contentUrl\":\"https:\\\/\\\/mailinvest.blog\\\/wp-content\\\/uploads\\\/2022\\\/01\\\/default.png\",\"width\":1000,\"height\":1000,\"caption\":\"mailinvest\"},\"image\":{\"@id\":\"https:\\\/\\\/mailinvest.blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/freelanceracademic\\\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/mailinvest.blog\\\/#\\\/schema\\\/person\\\/012701c4c204d4e4ebd34f926cfd31a4\",\"name\":\"admin@mailinvest.blog\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/98ed217bd0f3d6a6dcae2d9b0c76e305b049a07275e315e1407e19ec8b08e139?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/98ed217bd0f3d6a6dcae2d9b0c76e305b049a07275e315e1407e19ec8b08e139?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/98ed217bd0f3d6a6dcae2d9b0c76e305b049a07275e315e1407e19ec8b08e139?s=96&d=mm&r=g\",\"caption\":\"admin@mailinvest.blog\"},\"sameAs\":[\"https:\\\/\\\/mailinvest.blog\",\"admin@mailinvest.blog\"],\"url\":\"https:\\\/\\\/mailinvest.blog\\\/index.php\\\/author\\\/adminmailinvest-blog\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Open source software supply chain has security risks \u2022 The Register - mailinvest.blog","description":"Technology is forever changing, and there are always new pieces of technology to replace obsolete ones. Tons of people enjoy reading tech blogs on a daily basis.mailinvest.blog tracks all the latest consumer technology breakthroughs and shows you what's new, what matters and how technology can enrich your life. mailinvest.blog also provides the information, tools, and advice that helps when deciding what to buy.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/mailinvest.blog\/index.php\/2023\/02\/22\/open-source-software-supply-chain-has-security-risks-the-register\/","og_locale":"en_US","og_type":"article","og_title":"Open source software supply chain has security risks \u2022 The Register - mailinvest.blog","og_description":"Technology is forever changing, and there are always new pieces of technology to replace obsolete ones. Tons of people enjoy reading tech blogs on a daily basis.mailinvest.blog tracks all the latest consumer technology breakthroughs and shows you what's new, what matters and how technology can enrich your life. mailinvest.blog also provides the information, tools, and advice that helps when deciding what to buy.","og_url":"https:\/\/mailinvest.blog\/index.php\/2023\/02\/22\/open-source-software-supply-chain-has-security-risks-the-register\/","og_site_name":"mailinvest.blog","article_publisher":"https:\/\/www.facebook.com\/freelanceracademic\/","article_published_time":"2023-02-22T13:18:28+00:00","article_modified_time":"2023-02-22T13:19:26+00:00","og_image":[{"width":650,"height":450,"url":"https:\/\/mailinvest.blog\/wp-content\/uploads\/2022\/12\/shutterstock_broken_link.jpg","type":"image\/jpeg"}],"author":"admin@mailinvest.blog","twitter_card":"summary_large_image","twitter_misc":{"Written by":"admin@mailinvest.blog","Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/mailinvest.blog\/index.php\/2023\/02\/22\/open-source-software-supply-chain-has-security-risks-the-register\/#article","isPartOf":{"@id":"https:\/\/mailinvest.blog\/index.php\/2023\/02\/22\/open-source-software-supply-chain-has-security-risks-the-register\/"},"author":{"name":"admin@mailinvest.blog","@id":"https:\/\/mailinvest.blog\/#\/schema\/person\/012701c4c204d4e4ebd34f926cfd31a4"},"headline":"Open source software supply chain has security risks \u2022 The Register","datePublished":"2023-02-22T13:18:28+00:00","dateModified":"2023-02-22T13:19:26+00:00","mainEntityOfPage":{"@id":"https:\/\/mailinvest.blog\/index.php\/2023\/02\/22\/open-source-software-supply-chain-has-security-risks-the-register\/"},"wordCount":1788,"commentCount":0,"publisher":{"@id":"https:\/\/mailinvest.blog\/#organization"},"image":{"@id":"https:\/\/mailinvest.blog\/index.php\/2023\/02\/22\/open-source-software-supply-chain-has-security-risks-the-register\/#primaryimage"},"thumbnailUrl":"https:\/\/mailinvest.blog\/wp-content\/uploads\/2022\/12\/shutterstock_broken_link.jpg","articleSection":["Tech Universe"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/mailinvest.blog\/index.php\/2023\/02\/22\/open-source-software-supply-chain-has-security-risks-the-register\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/mailinvest.blog\/index.php\/2023\/02\/22\/open-source-software-supply-chain-has-security-risks-the-register\/","url":"https:\/\/mailinvest.blog\/index.php\/2023\/02\/22\/open-source-software-supply-chain-has-security-risks-the-register\/","name":"Open source software supply chain has security risks \u2022 The Register - mailinvest.blog","isPartOf":{"@id":"https:\/\/mailinvest.blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/mailinvest.blog\/index.php\/2023\/02\/22\/open-source-software-supply-chain-has-security-risks-the-register\/#primaryimage"},"image":{"@id":"https:\/\/mailinvest.blog\/index.php\/2023\/02\/22\/open-source-software-supply-chain-has-security-risks-the-register\/#primaryimage"},"thumbnailUrl":"https:\/\/mailinvest.blog\/wp-content\/uploads\/2022\/12\/shutterstock_broken_link.jpg","datePublished":"2023-02-22T13:18:28+00:00","dateModified":"2023-02-22T13:19:26+00:00","description":"Technology is forever changing, and there are always new pieces of technology to replace obsolete ones. Tons of people enjoy reading tech blogs on a daily basis.mailinvest.blog tracks all the latest consumer technology breakthroughs and shows you what's new, what matters and how technology can enrich your life. mailinvest.blog also provides the information, tools, and advice that helps when deciding what to buy.","breadcrumb":{"@id":"https:\/\/mailinvest.blog\/index.php\/2023\/02\/22\/open-source-software-supply-chain-has-security-risks-the-register\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/mailinvest.blog\/index.php\/2023\/02\/22\/open-source-software-supply-chain-has-security-risks-the-register\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/mailinvest.blog\/index.php\/2023\/02\/22\/open-source-software-supply-chain-has-security-risks-the-register\/#primaryimage","url":"https:\/\/mailinvest.blog\/wp-content\/uploads\/2022\/12\/shutterstock_broken_link.jpg","contentUrl":"https:\/\/mailinvest.blog\/wp-content\/uploads\/2022\/12\/shutterstock_broken_link.jpg","width":650,"height":450},{"@type":"BreadcrumbList","@id":"https:\/\/mailinvest.blog\/index.php\/2023\/02\/22\/open-source-software-supply-chain-has-security-risks-the-register\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/mailinvest.blog\/"},{"@type":"ListItem","position":2,"name":"Open source software supply chain has security risks \u2022 The Register"}]},{"@type":"WebSite","@id":"https:\/\/mailinvest.blog\/#website","url":"https:\/\/mailinvest.blog\/","name":"mailinvest.blog","description":"Technology is forever changing, and there are always new pieces of technology to replace obsolete ones. Tons of people enjoy reading tech blogs on a daily basis. mailinvest.blog tracks all the latest consumer technology breakthroughs and shows you what&#039;s new, what matters and how technology can enrich your life. mailinvest.blog also provides the information, tools, and advice that helps when deciding what to buy.","publisher":{"@id":"https:\/\/mailinvest.blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/mailinvest.blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/mailinvest.blog\/#organization","name":"mailinvest","url":"https:\/\/mailinvest.blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/mailinvest.blog\/#\/schema\/logo\/image\/","url":"https:\/\/mailinvest.blog\/wp-content\/uploads\/2022\/01\/default.png","contentUrl":"https:\/\/mailinvest.blog\/wp-content\/uploads\/2022\/01\/default.png","width":1000,"height":1000,"caption":"mailinvest"},"image":{"@id":"https:\/\/mailinvest.blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/freelanceracademic\/"]},{"@type":"Person","@id":"https:\/\/mailinvest.blog\/#\/schema\/person\/012701c4c204d4e4ebd34f926cfd31a4","name":"admin@mailinvest.blog","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/98ed217bd0f3d6a6dcae2d9b0c76e305b049a07275e315e1407e19ec8b08e139?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/98ed217bd0f3d6a6dcae2d9b0c76e305b049a07275e315e1407e19ec8b08e139?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/98ed217bd0f3d6a6dcae2d9b0c76e305b049a07275e315e1407e19ec8b08e139?s=96&d=mm&r=g","caption":"admin@mailinvest.blog"},"sameAs":["https:\/\/mailinvest.blog","admin@mailinvest.blog"],"url":"https:\/\/mailinvest.blog\/index.php\/author\/adminmailinvest-blog\/"}]}},"_links":{"self":[{"href":"https:\/\/mailinvest.blog\/index.php\/wp-json\/wp\/v2\/posts\/44618","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mailinvest.blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mailinvest.blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mailinvest.blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mailinvest.blog\/index.php\/wp-json\/wp\/v2\/comments?post=44618"}],"version-history":[{"count":1,"href":"https:\/\/mailinvest.blog\/index.php\/wp-json\/wp\/v2\/posts\/44618\/revisions"}],"predecessor-version":[{"id":44619,"href":"https:\/\/mailinvest.blog\/index.php\/wp-json\/wp\/v2\/posts\/44618\/revisions\/44619"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mailinvest.blog\/index.php\/wp-json\/wp\/v2\/media\/20462"}],"wp:attachment":[{"href":"https:\/\/mailinvest.blog\/index.php\/wp-json\/wp\/v2\/media?parent=44618"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mailinvest.blog\/index.php\/wp-json\/wp\/v2\/categories?post=44618"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mailinvest.blog\/index.php\/wp-json\/wp\/v2\/tags?post=44618"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}