Open Source is the World’s Biggest Security Risk – And We’re All Ignoring It

2 min Reading Time

96 percent of all commercial software contains open-source components. Most are maintained by individual, unpaid developers. Log4j was just the beginning – the next catastrophe is lurking in a library maintained by a hobbyist in Nebraska. Why the open-source model is in a security crisis.

TL;DR

• 96 percent of commercial codebases contain open-source libraries – an average of over 500 dependencies per project
• The Log4Shell vulnerability (2021) affected over 35,000 Java packages and caused an estimated €10 billion in damage
• Over 25 percent of all open-source projects are maintained by a single maintainer – without compensation, without security audits
• Supply-chain attacks via compromised open-source packages increased by 740 percent in 2024 compared to the previous year

The xz-Utils Warning Sign

In March 2024, a Microsoft developer accidentally discovered a backdoor in xz Utils – a compression library found in virtually every Linux distribution. The backdoor was sophisticated: An attacker had spent over two years infiltrating the project as a helpful contributor, gaining the trust of the overworked maintainer, and eventually embedding an SSH backdoor.

The attack was only discovered by chance – because a developer noticed that SSH logins were 500 milliseconds slower than expected. If he hadn’t been curious, the backdoor would have compromised millions of servers worldwide. This is not a security model. This is luck.

The Uncomfortable Truth About “Given Enough Eyeballs”

The open-source mantra is: “Given enough eyeballs, all bugs are shallow.” Linus’ Law. The idea that open code is automatically secure because anyone can review it. The reality: No one reviews it.

OpenSSL – the cryptographic library that secures half the internet – was maintained for years by two people with an annual budget of less than €10,000. Heartbleed, one of the worst vulnerabilities in internet history, lurked in the code for two years. Not because the code was secret, but because no one was looking.

Log4j – the Java logging library that sent the internet into a state of emergency in 2021 – was maintained by three volunteers. They didn’t intentionally introduce the vulnerability. They just didn’t have the resources to check every code path for security.

Supply Chain: The Perfect Attack Vector

Attackers have realized that the most efficient way into thousands of companies isn’t through their firewalls, but through their dependencies. A compromised npm package with 10 million weekly downloads automatically infects thousands of build pipelines.

The attacks are getting more sophisticated: Typosquatting (packages with names similar to popular libraries), dependency confusion (internal package names replaced by external ones), maintainer takeover (as with xz Utils). And the defense? Fragmented, underfunded, and reactive.

What Needs to Be Done

Funding Critical Infrastructure: Open-source libraries used in more than 10,000 projects are de facto critical infrastructure. They must be treated and funded as such – through government programs, industry consortia, or mandatory contributions from companies that rely on them.

Software Bill of Materials (SBOM): Every company must know which open-source components are in its products. SBOMs must become mandatory – the EU is working on it, but implementation is taking too long.

Automated Security Audits: Every update of a critical library must go through automated security checks before it reaches production systems. Tools like Dependabot, Snyk, or Socket.dev help – but they must become standard, not optional.

Conclusion: Open Source Needs a New Security Model

Open source is not the problem – it’s the solution to countless technological challenges. But the security model is based on an illusion: that voluntarism and transparency are enough. They are not. The world builds its digital infrastructure on unpaid labor – and is surprised when it collapses.

Key Facts

xz-Utils Attack: The backdoor was only discovered by chance – the attacker had invested two years and would have been successful without a vigilant developer.

Funding Gap: The Linux Foundation estimates that global open-source infrastructure needs at least €2 billion in annual investment – in reality, less than €200 million flows in.

Frequently Asked Questions

Is proprietary software more secure than open source?

Not universally. Proprietary software has the same vulnerabilities; they are just handled less transparently. The difference: Proprietary software has paid developers and security teams. Open source needs the same – without sacrificing transparency.

What should companies do immediately?

First: Create an SBOM for all products. Second: Integrate automated dependency scanning into the CI/CD pipeline. Third: Financially support critical open-source projects that you depend on.

Will the Cyber Resilience Act (CRA) solve the problem?

The EU’s CRA mandates security by design for software products – including open-source components. This is an important step, but implementation must ensure that unpaid maintainers are supported, not criminalized.

Related Articles

• Supply Chain Security 2026: How Companies Protect Their Software Supply Chain
• Cybersecurity Trends 2026: The 7 Developments
• NIS2 and Executive Liability

More from the MBF Media Network

• Cloud Infrastructure and DevSecOps on cloudmagazin.com
• IT Strategies for Decision-Makers on digital-chiefs.de

Header Image Source: Pexels

About the author: Tobias Massow

More articles by Tobias Massow