A review of open-source software, which makes source code public so anyone can modify and distribute it, found vulnerabilities in about 0.5% that could be exploited for real-world hacking.
Korea Internet & Security Agency (KISA) said on the 7th that an analysis of about 231,000 open-source components found security vulnerabilities in 3.5% that could be exploited for remote execution of malware and exposure of sensitive information.
In 0.49% of open-source components, high-risk vulnerabilities (KEV) that could be used for real-world hacking or distributed denial-of-service (DDoS) attacks were identified.
Korea Internet & Security Agency (KISA) said those surveyed software all used at least one open-source component.
As open-source use becomes routine and cyberattacks intensify, major countries including the United States and the European Union (EU) are strengthening software supply chain management guidelines, such as mandating submission and management of a "software bill of materials" (SBOM).
In the EU, measures such as the Cyber Resilience Act (CRA) and the EUCC certification system are being applied, and starting in September next year, all corporations exporting software to the EU will be obligated to notify authorities if vulnerabilities are found even after sale.
Korea Internet & Security Agency (KISA) has built a supply chain security management system that manages from the initial adoption of external source code to post-distribution monitoring, considering that corporations find it difficult to check each supply chain security requirement one by one.
An official at the agency explained, "In a situation where developers cannot trust that source code taken from places like GitHub is safe, we are collecting frequently used open source, verifying it, generating SBOMs, and ensuring only approved open source is used."