If you’re a hacker, attacking open source software is also very attractive. “If I’m an attacker and I know that tens of thousands of organizations use, for example, MySQL, then writing an exploit that will attempt to break into MySQL based on a known vulnerability is much more likely to succeed statistically, because it’s being used everywhere,” explained Rani Osnat, vice president of strategy and product marketing at cloud native security company Aqua.
It also helps that these vulnerabilities are often public knowledge — even if they aren’t in the CVE databases, they are likely reported as bugs in GitHub. “Very few bad guys go through the effort of actually finding holes in software,” Osnat said. Open source is easier to examine and play around with, too, so the level of sophistication required to exploit it is lower.
Open source is also … open. Because anyone can contribute, attackers can poison the software supply chain by intentionally inserting vulnerabilities into the code, with the intention of exploiting those vulnerabilities in the future. That’s a threat vector that, while not totally nonexistent in a closed-source software project, is substantially less likely to be a problem with either custom code developed internally or closed-source software from a vendor.
