Rethinking Open Source Security

June 19, 2025June 24, 2025 viviandufourcybersecurity, opensource, riskLeave a comment

Essential Steps for Leaders Before the Next Supply Chain Attack

Author: Rod Cobain • 4 min read

An illustration representing strategic leadership, featuring a businessman pointing and discussing strategy, alongside chess pieces, a light bulb symbolizing ideas, and a graph indicating growth.

A Storm Is Brewing

We live in an age of unprecedented digital dependency. From agile startups to global enterprises, modern organizations rely on interconnected software systems, primarily driven by open source software (OSS). While OSS is powerful, flexible, and cost-effective, it increasingly represents a critical cybersecurity risk.

Cyber attackers are aggressively exploiting open source vulnerabilities, targeting the tools and libraries that power global innovation. The question isn’t whether your organization uses open source software—it undoubtedly does. The critical question is: How effectively are you securing it?

This article will explore:

Why open source vulnerabilities attract cyber attacks.
The evolving nature of these threats.
The crucial role of cybersecurity thought leadership.
Strategic actions leaders must take immediately.

Open Source Software: The Expanding Attack Surface

The Prevalence of Open Source

80-90% of modern applications incorporate OSS components.
OSS underpins critical infrastructure including finance, AI, and cloud services.
OSS adoption is accelerating within IoT and edge computing environments.

Why Attackers Target Open Source

A single vulnerability can impact thousands or millions of systems.
Attackers view the software supply chain as an attractive, often poorly defended target.
Many organizations lack visibility into OSS dependencies.

Recent High-Profile Incidents

Log4Shell (Log4j): A critical vulnerability in a widely used Java library triggered global disruption.
SolarWinds: Attackers infiltrated software updates, compromising numerous downstream systems.
MOVEit: Exploitation of a vulnerability in file-transfer software resulted in extensive data breaches.

These events signify a broader trend: cyber attacks exploiting OSS vulnerabilities are increasing in frequency and impact.

The Need for Thought Leadership

Challenging False Security Assumptions

Executives often mistakenly assume:

OSS security is someone else’s responsibility.
Commercial vendors adequately secure dependencies.
Development teams alone can manage open source risks effectively.

In reality:

OSS projects are often maintained by small volunteer teams.
Security debt accumulates rapidly.
Strategic oversight cannot be replaced by tools alone.

The Critical Role of Cybersecurity Thought Leadership

1. Driving Organizational Awareness

Treat software risk as a business risk.
Discuss OSS vulnerabilities regularly at board meetings.
Implement continuous monitoring and risk management strategies.

2. Building Industry Collaboration

Foster industry-wide partnerships to strengthen OSS security.
Support and participate in initiatives such as the Open Source Security Foundation (OpenSSF).

3. Influencing Public Policy

Advocate for clear software liability frameworks.
Promote mandatory Software Bill of Materials (SBOM) use for transparency and traceability.

4. Leading by Example

Adopt secure open source practices internally.
Showcase effective practices to peers and partners.
Contribute actively to open source communities.

Proactive Leadership Actions: Steps You Should Take Now

For CISOs, CEOs, and Security Officers:

Deploy comprehensive Software Composition Analysis (SCA) solutions.
Maintain a complete, continuously updated inventory of OSS components.
Embed security earlier into the development lifecycle (shift-left approach).
Accelerate patching of OSS vulnerabilities through automated remediation.
Engage with and support OSS communities financially and operationally.

For Executives and Board Members:

Request regular software supply chain risk assessments.
Allocate resources to enhance OSS security measures.
Support cross-industry initiatives and SBOM adoption.
Promote a culture where software security is central to business strategy.

The Broader Impact: Securing a Global Commons

Open source software represents a global digital commons. Poor security practices risk widespread systemic failure, not just isolated breaches. Robust thought leadership from security and business executives can act as a force multiplier by:

Driving critical awareness and urgency.
Shaping industry standards and best practices.
Influencing proactive, collaborative security cultures.

Without proactive leadership, organizations face continuous cycles of reactive firefighting. With it, we can build resilience and trust in the digital future.

Conclusion: Your Leadership Legacy

The stakes have never been higher:

Attackers are innovating rapidly.
OSS vulnerabilities will continue to surface and be exploited.
Regulatory landscapes and liability expectations are evolving quickly.

Now is the time for bold cybersecurity leadership that transcends organizational silos, engages across industries, and shapes global security practices. As a leader, ask yourself:

Is your organization prepared for the next OSS attack?
Are you shaping the conversation or merely reacting?
What legacy will you leave in securing the software that powers the world?

The future of digital trust depends on your answers.

Defend Against Disruption: Safeguard Vulnerability Management Amid MITRE Funding Risks

April 16, 2025April 17, 2025 viviandufourcybersecurity, opensource, risk, vulnerabilityLeave a comment

Today’s Reality Check: Vulnerability Management is Non-Negotiable

With the MITRE CVE system being the backbone of global vulnerability identification, it’s alarming to see discussions about funding cuts that could jeopardize this critical resource. If the industry loses its shared language for describing digital flaws, we’re all in trouble. This could stifle innovation in vulnerability management and mitigation, leaving organizations scrambling for reliable data in the U.S. and globally.

The industry needs to rally. We must collaborate on alternative funding models, invest in open-source initiatives, and forge partnerships that keep vital resources like CVE alive and thriving. Let’s ensure that our defenses remain robust, even in the face of disruption.

Meterian: The Power Database and Invisible Security Platform You Need

While others may falter, Meterian is charging ahead. Our vulnerability database is not just comprehensive; it’s a powerhouse, tracking over 400,000+ vulnerabilities and receiving daily automatic updates from a multitude of sources. We pull data from the National Vulnerability Database, GitHub Security Advisories, and 15 other unique feeds. But we don’t stop there. Our AI-generated insights, combined with meticulous manual curation, deliver a done-for-you service that your security and engineering teams can depend on.

In short, we provide your enterprise with a pair of automated eagle eyes, ensuring you have full visibility into potential software weaknesses in your third-party software supply chain.

Quality and Volume

Our commitment to excellence means you get the best tools to manage vulnerabilities effectively, for your team’s tech stack and workflow. We have a multitude of integrations and our OpenAPI architecture means we can collaborate to create more value together.

Join the Revolution

It’s time to elevate your cybersecurity strategy with the best solution for your team. Ready to take your cybersecurity to the next level? Check out our product page infographic to see how our database stacks up against the competition.

EU Cyber Resilience Act: Key Updates on SBOM Compliance

November 20, 2024November 20, 2024 bbossolacompliance, CRA, cyber-security, cybersecurity, devops, meterian, opensource, regulation, risk, security, technologyLeave a comment

Since our previous discussion on the EU Cyber Resilience Act (CRA) and Software Bill of Materials (SBOMs), significant updates have clarified and expanded the framework for compliance. The European Parliament approved the CRA on March 12th, marking its importance in enhancing product security across the EU. This follow-up explain these developments, focusing on new guidelines and the evolving expectations for SBOM compliance.

New clarity on SBOMs from Germany: TR-03183

To provide more detailed guidance, Germany’s Federal Office of Information Security (BSI) released the Technical Guideline TR-03183: Cyber Resilience Requirements for Manufacturers and Products (Part 2: Software Bill of Materials (SBOM)), version 2.0. This 20-page document sets the groundwork for SBOM requirements under the CRA. Key highlights include:

Mandatory SBOM Compilation: An SBOM is essential for meeting CRA compliance.
Minimum Information Requirements: The SBOM must include the component name, version, dependencies, license (preferably using SPDX or ScanCode identifiers), and a SHA-256 hash.
Version-Specific SBOMs: A separate SBOM must be generated for each software version, with updates made only for error corrections or new information.
Preferred Formats: SBOMs must adhere to CycloneDX (v1.4 or higher) or SPDX (v2.3 or higher).
Process Integration: The SBOM must be generated as part of the build process or an equivalent mechanism.

Other recommendations, such as using CSAF with a VEX profile for distributing vulnerability information, aim to enhance transparency without directly embedding vulnerabilities in the SBOM.

Challenges in SBOM Implementation

While TR-03183 provides critical guidance, several unresolved issues highlight the complexities of SBOM creation and usage:

Identification Gaps: The absence of mandatory CPE or PURL requirements makes vulnerability reporting from SBOMs prone to errors.
Undefined “Scope of Delivery”: The guidelines use this term to define the depth of transitive component enumeration but lack clarity on acceptable thresholds.
SHA-256 Ambiguity: The methodology for computing a SHA-256 hash of source code remains unspecified.
Relationship Details: While all transitive components must be recursively included, relationships among them are not explicitly required. This omission can hinder the effectiveness of SBOMs in vulnerability management.

Preparing for CRA Compliance

The CRA’s adoption signals a critical need for manufacturers and software developers to refine their compliance strategies. With enforcement set for early 2027, organisations should prioritise:

Automating SBOM Generation: Tools like Meterian can streamline SBOM creation, ensuring accurate dependency mapping and compliance with CRA’s format requirements.
Enhancing Vulnerability Management: Despite the lack of mandatory CPE or PURL, integrating these identifiers into internal processes can improve accuracy.
Staying Updated: Monitoring updates to technical guidelines like TR-03183 will be vital as CRA implementation progresses.

Looking ahead

The CRA represents a significant step forward in securing the digital ecosystem. By leveraging clear guidelines and robust tools, organisations can align with compliance requirements while strengthening their cybersecurity posture. The publication of TR-03183 marks progress but also underscores the need for continued refinement as industry feedback shapes the future of SBOM practices.

Navigating the complexities of SBOM creation and CRA compliance doesn’t have to be overwhelming. Meterian provides automated solutions designed to simplify the generation and management of SBOMs, ensuring:

Effortless Compliance: Meterian supports both CycloneDX format, helping you meet the CRA’s technical requirements with ease.
Comprehensive Dependency Mapping: Automatically scans your codebase to identify all components and transitive dependencies, ensuring nothing is missed.
Ongoing Vulnerability Monitoring: Integrates seamlessly with vulnerability databases to keep your SBOMs updated and your products secure.
Time-Saving Automation: Embeds SBOM generation into your build processes, reducing manual effort and increasing efficiency.

With Meterian, you can confidently meet CRA requirements while enhancing your overall security posture. Contact us to learn how we can support your journey toward compliance and beyond.

WHY IS SOFTWARE COMPOSITION ANALYSIS (SCA) IMPORTANT?

September 20, 2024September 20, 2024 bbossolacyber-security, cybersecurity, opensource, risk, security, software, technology, vulnerabilityLeave a comment

Attacks through open source are growing year on year, so companies cannot rely only on periodic pen testing. The code needs to be scanned on a daily basis during the lifecycle of the application’s development stages, and continue to do so once an application is deployed.

Modern software development in fact heavily relies on open-source components: they accelerate development, reduce costs, and provide access to well-tested, community-maintained code. Understanding the composition of their software products is crucial for companies producing applications, as it helps manage and secure the significant portion of their codebase that originates from open-source projects.

Checking open-source components in software development is crucial for at least three reasons: let’s have a closer look and clarify the problems.

Security Risks

The code of open-source components is always publicly available and it is a natural target for hackers. Each day, more than 50 new vulnerabilities are discovered in open-source components and, if not identified and managed, they can be exploited, leading to security breaches.

Countless examples are available:

the Canadian Revenue Agency hack (2014): OpenSSL Heartbleed (CVE-2014-0160)
the Equifax data breach (2017): Apache Struts vulnerability (CVE-2017-5638)
the iCloud and Minecraft hack (2021): Log4j vulnerability (CVE-2021-44228)

All these hacks were performed using a vulnerability in an open-source component: nothing was wrong with the code written by the respective developers.

How common are vulnerabilities? See, in this sample, the growth of vulnerabilities in the .NET open-source ecosystem:

Please note that this is a restricted view that matches exclusively only vulnerabilities affecting opensource components specific to the .NET ecosystem. Across all ecosystems, more than 100,000 vulnerabilities affecting open-source components are recorded.

The risks are real. If you want to learn more you can also read our blog here.

License compliance

Open-source components come with various licenses, each with specific requirements and restrictions. Failing to comply with these licenses can lead to legal issues, including copyright infringement claims.

Among all those, let’s not forget TruthSocial, the famous Twitter clone created by the Trump Media & Technology Group, was found to be in breach of an OSS license and had to disclose its source code publicly.

Also Tesla decided to release its code to the public to comply with a copyleft license. On another occasion. Westinghouse Digital Electronics preferred bankruptcy.

The risks are real. If you want to learn more you can also read our blog here.

Quality and reliability

While open-source software can be of high quality, this varies significantly, and some components might be abandoned or poorly maintained. Using such components can pose risks to the project’s stability and reliability.

Here introducing you Swashbuckle, a popular .NET project that has been abandoned by his creator for a more interesting adventures and now lays unmaintained and without an owner. It was last updated 6 (six) years ago.

Let’s also have a look at Lazy, another popular NodeJS component that was last updated 11 (eleven) years ago. While it’s a small library with a limited attach surface, why would you like to have this in your application? Software does not age like fine wine, unfortunately.

This is an example of two commonly used opensource components that have not been updated in years, a very long time in software development. Those components are basically not maintained anymore: if a problem is found, it won’t be fixed. If a vulnerability is there, nobody will know about it (apart from the occasional hacker, of course)

How Meterian SCA helps solve the challenge

Meterian offers a comprehensive application security platform designed to enhance the security posture, compliance adherence, and overall quality of software projects. This platform provides in-depth analysis and automation capabilities, empowering organisations to effectively manage open-source and third-party libraries throughout their software development lifecycle. Through its robust features, Meterian enables organisations to identify and mitigate vulnerabilities, ensure compliance with relevant regulations and standards, and maintain a high level of software quality.

Meterian is unique compared to its competitors because of various characteristics, let’s explore them

Supports the largest number of ecosystems
If you are using a legacy technology like Perl, focus on data science using Jupyter Notebooks, build video games with Unity, or build ultra-fast micro-services with Rust, you deserve the best protection available. Meterian supports a wide range of languages and ecosystems, and if your platform is not there, we will be happy to support it for you.

Easy to to deploy on premises or dedicated cloud
In the SaaS industry, the requirement for a dedicated single-tenant instance or an on-premises installation may be driven by specific business needs, such as tight security, data sovereignty, and geo-location considerations. Meterian can easily provide a single-tenant environment, either on-cloud or on-prem, and offers also a range of air-gapped solutions for extreme secure environments.

Comprehensive vulnerability database
Meterian’s vulnerability database not only boasts a broader coverage than any of its competitors but is also updated daily through a fully automated system that integrates numerous OSINT sources and Meterian’s specially curated databases, including AI-generated advisories directly from the analysis of open-source repositories. This automated process outpaces manual entry methods, ensuring we maintain a competitive edge through faster and more efficient updates, a key differentiation in our service offering.

Superior customer support
Speed, quality of responses, customer obsession, won deals because of this. We have a unique culture where the concept of “support” does not really exist, as all engineers are constantly working with customers. We want to be obsessed with customers, solve their problems quickly and effectively. Every customer support query is directly handled by engineers and is given priority in our backlog. This approach guarantees that our product evolves in response to real-world feedback, while also maintaining the highest level of customer satisfaction.

What next?

Don’t just take our word for it – experience the benefits for yourself. We invite you to schedule a demo to see how our solution can make a difference in your organisation’s security posture. Our team of experts is ready to guide you through the features and show you how it can address your specific security challenges. Take the first step towards a more secure future – reach out today and discover how Meterian can elevate your cybersecurity strategy.

Looking forward hearing from you.

Meeting Compliance Challenges in Healthcare: How Cybersecurity Partnerships Can Lead to Success

July 11, 2024July 11, 2024 bbossolabusiness, compliance, cybersecurity, healththech, SBOM, security, technologyLeave a comment

As healthcare companies face a complex web of EU and US regulations, understanding and adhering to these standards is crucial for maintaining trust and operational continuity. Regulations such as the EU’s Medical Device Regulation (MDR), the Network Information Security (NIS) directive, and upcoming legislation like the Cyber Resilience Act (CRA) and Digital Operational Resilience Act (DORA) demand meticulous compliance and robust cybersecurity measures.

Specifically, MDR requires stringent oversight of software used within medical devices, demanding thorough documentation and regular updates to ensure safety and performance. Meterian simplifies these tasks by automating the detection of vulnerabilities and outdated components in software, facilitating compliance through comprehensive Software Bill of Materials (SBOMs). These SBOMs provide a detailed inventory of all software components, crucial for MDR compliance, and help healthcare organisations maintain the integrity and security of their medical devices. By streamlining these processes, Meterian not only aids in meeting regulatory requirements but also enhances operational efficiency and reduces the risk of non-compliance penalties.

Meterian stands as a pivotal ally for healthcare companies navigating these regulatory landscapes. By offering tools that facilitate compliance with these stringent regulations, Meterian ensures that healthcare providers can focus more on patient care and less on the nuances of cybersecurity compliance.

The conversation around SBOMs and compliance is growing, and Meterian is leading these discussions with healthcare companies, showcasing how automation and detailed compliance reporting can ease the burden on healthcare providers. Whether it’s a startup or a seasoned enterprise, Meterian’s scalable solutions fit diverse budgets and operational scales, making comprehensive cybersecurity accessible to all healthcare entities.

By partnering with Meterian, healthcare companies not only ensure compliance with current regulations but also prepare for future legislative changes. Meterian’s proactive approach helps companies anticipate and adapt to the regulatory landscape, ensuring that they are always one step ahead in their cybersecurity measures.

Are you ready to elevate your healthcare organisation’s compliance and cybersecurity strategy?

Partner with Meterian today to ensure that your technology infrastructure meets the stringent demands of regulations like the NIS Directive and MDR. Don’t wait until a cybersecurity incident occurs – take proactive steps to safeguard your patient data and systems.

Visit our website or contact us to learn how Meterian can help your healthcare organisation stay secure, compliant, and resilient in an ever-evolving digital landscape.

Understanding the Importance of Software Composition Analysis in the Context of EU’s DORA Regulations

April 15, 2024April 16, 2024 bbossolacompliance, cybersecurity, meterian, vulnerabilitiesLeave a comment

The EU’s Digital Operational Resilience Act (DORA) represents a significant step towards ensuring that the financial sector can withstand and rapidly recover from ICT-related disruptions and threats. Among the wide variety of security testing tools and actions mandated by DORA, Software Composition Analysis (SCA) emerges as a critical component. Let’s explore why SCA is vital in this new regulatory landscape and how solutions like Meterian can be particularly beneficial.

What is Software Composition Analysis?

Software Composition Analysis (SCA) is a cybersecurity process that helps organizations identify and manage open source components within their software inventory. SCA tools scan software projects to detect open source libraries and frameworks, check the versions used, and compare them against databases of known vulnerabilities. Additionally, SCA assesses license compliance risks, ensuring that the open source licenses are compatible with corporate policies on software usage.

The Role of SCA Under DORA

The DORA framework emphasizes the need for a broad and adaptable approach to cybersecurity, recognizing the diverse nature of financial entities and their varying levels of ICT maturity. Here’s why SCA is integral to this approach.

Vulnerability Management
Financial entities utilize a plethora of software solutions, many of which rely on open-source components. SCA provides a systematic approach to detecting vulnerabilities in these components, some of which may be critical and widely exploited in the financial sector. By identifying these vulnerabilities early, financial institutions can patch them before they are exploited.

Compliance and Risk Management
DORA calls for rigorous compliance standards, including in areas like software licensing. SCA tools automatically detect the licenses of every component and alert teams about potential legal and operational risks, thus supporting compliance with DORA requirements.

Enhanced Operational Resilience
By integrating SCA into their cybersecurity practices, financial institutions can improve their operational resilience. Knowing exactly what is in their software reduces the time and resources spent on crisis management in the event of a security breach.

Supporting Advanced Testing Requirements
As entities mature, advanced testing such as Threat-Led Penetration Testing (TLPT) becomes viable. SCA ensures that the foundational elements of software security are addressed, which is critical for conducting more sophisticated, scenario-based tests effectively.

How Meterian Can Help

In the context of DORA, Meterian stands out as a valuable ally for financial institutions aiming to enhance their software security posture. Here’s how Meterian can specifically support compliance and resilience:

Continuous Security and Compliance Monitoring: Meterian continuously scans your software projects, providing real-time alerts on new vulnerabilities and compliance issues. This ongoing monitoring ensures that financial entities can respond promptly to emerging threats.
Automated Fix Suggestions: Beyond identifying issues, Meterian provides actionable insights and automated fix suggestions. This helps in quickly resolving vulnerabilities and license conflicts, significantly reducing the window of exposure.
Ease of Integration: Meterian’s platform can be seamlessly integrated into existing development workflows. This integration ensures that security and compliance checks occur throughout the software development life cycle, aligning with DORA’s emphasis on continuous improvement and adaptation.
Customizable Reporting: Meterian offers detailed, customizable reports that can assist financial entities in demonstrating their compliance with DORA regulations to regulators. These reports provide clear evidence of the proactive measures taken to ensure operational resilience.

By leveraging SCA tools like Meterian, financial institutions can not only meet the stringent requirements set forth by DORA but also significantly strengthen their cybersecurity frameworks. This proactive approach to software security is essential in a landscape where digital operations are increasingly integral to financial stability and success.

Ship software without vulnerabilities.

Level up your confidence in open source dependencies

Menu

compliance