Safeguard
Open Source Security

What is Open Source Security

Open source powers 70-90% of modern codebases. Learn what open source security means, its real risks, and how reachability analysis cuts through the noise.

James
Principal Security Architect
Updated 6 min read

Open source security is the practice of identifying, assessing, and remediating vulnerabilities and risks introduced by third-party open source components in an application's codebase. Modern software is built on open source: a typical enterprise application pulls in hundreds or thousands of transitive dependencies, and by some industry estimates open source code now makes up 70-90% of the average codebase. Every one of those packages is code your team didn't write but is still responsible for. Open source security covers software composition analysis (SCA), open source security scanning for known vulnerabilities, license compliance, dependency update management, and increasingly, reachability analysis to determine whether a vulnerable function is actually exploitable in your application. It is not optional — it is the baseline requirement for shipping software that doesn't collapse the first time a maintainer's account gets compromised or a CVE drops on a Friday afternoon.

What Counts as an Open Source Security Risk?

An open source security risk falls into one of four buckets: known vulnerabilities (CVEs), malicious packages, license violations, and maintenance risk from abandoned or single-maintainer projects. Known vulnerabilities are the most visible category — the National Vulnerability Database logged over 40,000 CVEs in 2024 alone, and a large share trace back to open source libraries in the JavaScript, Python, and Java ecosystems. Malicious packages are a fast-growing second category: Sonatype's 2023 State of the Software Supply Chain report recorded over 245,000 malicious packages published to open source registries that year, more than double the combined total from all prior years. License violations — for example, unknowingly shipping AGPL-licensed code inside a proprietary product — create legal exposure rather than technical exposure, but they're still tracked as part of open source security posture. Maintenance risk is subtler: a 2022 study by the Linux Foundation and Harvard found the median open source project has only a handful of active contributors, meaning a single burned-out maintainer can leave a widely used package unpatched for months.

How Do Open Source Vulnerabilities Actually Get Into Production Code?

Open source vulnerabilities enter production through three main paths: direct dependencies, transitive dependencies, and compromised build pipelines. Direct dependencies are the packages a developer explicitly adds to a package.json, requirements.txt, or pom.xml — these are the easiest to audit because they're visible. Transitive dependencies are pulled in automatically by those direct dependencies and are where most risk actually hides; a single React application with 30 direct dependencies can easily resolve to 1,000+ transitive packages in its lockfile. Compromised build pipelines are the most severe path, exemplified by the 2021 Codecov Bash Uploader breach, where attackers modified a CI script to exfiltrate credentials from thousands of downstream customer environments, and the 2023 3CX supply chain attack, where a legitimate desktop application was trojanized upstream and distributed through official channels to an estimated 600,000 users. Each path requires a different control: direct dependencies need open source security scanning via SCA, transitive dependencies need full dependency-tree visibility, and build pipelines need provenance verification like SLSA attestations.

What Is the Difference Between Open Source Security and Traditional Application Security?

The difference is ownership: traditional AppSec secures code your organization writes, while open source security secures code your organization consumes but didn't write and can't unilaterally fix. When a static analysis tool (SAST) flags a bug in your own codebase, your engineers write the patch. When a scanner flags CVE-2021-44228 (Log4Shell) in a transitive dependency four layers deep, you're waiting on an upstream maintainer, forking the package yourself, or applying a runtime mitigation — none of which are quick. This is also why open source security tooling looks different from SAST: it centers on Software Bill of Materials (SBOM) generation to enumerate exactly what's in a build, vulnerability databases (NVD, OSV, GitHub Advisory Database) to match components against known issues, and dependency graph analysis to trace a vulnerable function back to every place it's actually called. Log4Shell is the canonical example of why this distinction matters — Log4j was a transitive dependency in an estimated 35,000+ Java packages, and organizations without dependency-tree visibility spent weeks just figuring out where they were exposed, let alone fixing it.

Why Did Open Source Security Become a Board-Level Priority After 2020?

Open source security became a board-level priority after 2020 because two events proved that a single upstream compromise can cascade into thousands of victims simultaneously. The SolarWinds attack, disclosed in December 2020, involved attackers inserting malicious code into the Orion software build process, ultimately affecting roughly 18,000 organizations including multiple U.S. federal agencies. Then in May 2021, Executive Order 14028 explicitly directed U.S. federal agencies to require SBOMs from software vendors, turning what had been a best practice into a procurement requirement. The Log4Shell disclosure in December 2021 reinforced the message at massive scale, affecting an estimated 93% of enterprise cloud environments according to contemporaneous industry telemetry. By 2023, frameworks like SLSA (Supply-chain Levels for Software Artifacts) and standards bodies like CISA were publishing formal guidance, and open source risk moved from a line item in an engineering backlog to a recurring topic in board and audit committee meetings.

How Should a Security Team Actually Reduce Open Source Risk?

A security team reduces open source risk by prioritizing fixes based on exploitability, not just CVE severity scores. The single biggest efficiency gain is separating vulnerabilities that are theoretically present from vulnerabilities that are actually reachable — Google's Open Source Insights team has estimated that fewer than 10% of flagged vulnerabilities in a typical dependency tree correspond to code paths an application actually executes, meaning teams that triage by CVSS score alone waste the vast majority of remediation effort on unreachable code. Beyond reachability, effective programs maintain a continuously updated SBOM for every build (not a point-in-time snapshot), enforce automated pull request checks that block new critical vulnerabilities before merge, and set explicit SLAs — for example, patching critical, actively-exploited CVEs within 72 hours per NIST guidance, versus 30 days for high-severity, non-exploited ones. Teams that skip prioritization entirely tend to drown: a mid-size engineering org with 200 repositories can easily generate 5,000+ open findings in a first scan, and without reachability data, triage becomes guesswork.

How Safeguard Helps

Safeguard turns open source vulnerability noise into a prioritized, actionable list by combining SBOM generation and ingest with reachability analysis that traces every flagged CVE to the actual call paths in your codebase, so teams can see immediately which findings are exploitable and which are dead code. Griffin AI, Safeguard's analysis engine, correlates that reachability data with exploit intelligence and package metadata to rank remediation work by real-world risk rather than raw CVSS score. When a fix is available, Safeguard generates auto-fix pull requests that bump the affected dependency to a patched, compatible version, so engineers spend their time reviewing a diff instead of researching a fix. For organizations under SOC 2, FedRAMP, or EO 14028 procurement requirements, Safeguard's continuous SBOM ingest keeps compliance evidence current without a manual audit cycle.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.