Open source code can also be open risk

Issue 3 2025 Information Security, Infrastructure

Software development has fundamentally changed over the years. Agile approaches, rapid release cycles, and DevOps culture have transformed how software is created and released. However, amid this changing environment, one truth has gradually emerged: open-source code is increasingly forming the basis of modern applications. Estimates based on surveys indicate that 60 – 90% of the average application's code base consists of open-source components. It is not a factor of convenience, it is a necessity for innovation, speed, and economic viability, but with all the big adoption, there comes an admittedly under-recognised truth: open source introduces risk.

The question is not whether you are using open-source code, but rather whether you are doing it in a practical and managed way. That is where Debricked, a company within OpenText, comes into the picture. Debricked is becoming an essential solution in the modern secure software development lifecycle. Below, I explore why that is the case.


Wehann-Kritzinger.

The open source problem no one is talking about

Despite the many benefits of open-source software, it raises unique problems that most organisations would rather ignore:

Lack of transparency: Most projects have no complete list of all their open-source components.

Security vulnerabilities: Open-source packages may contain known Common Vulnerabilities and Exposures (CVEs). If these vulnerabilities are publicly disclosed but not yet patched or mitigated, they present an opportunity for attackers to exploit them during this window of exposure

License compliance: Failure to comply with open-source licenses (e.g., GNU General Public License (GPL), Massachusetts Institute of Technology (MIT), or Apache) would mean costly legal problems.

Abandonware risk: The vast majority of packages are unmaintained or inactive, rendering them a liability when bugs infiltrate or exploits take place.

These are not abstract concerns; they have real-world implications. Examples include the infamous Log4j vulnerability and attacks on software supply chains, such as the SolarWinds breach. Essentially, the consequences of uncontrolled open-source use are history.

Demystifying open source

Debricked is designed to help development, security, and legal teams make improved, faster, and safer open-source code choices. It achieves this by providing a collection of features that address the threats and inefficiencies associated with wild open-source usage.

1. Automatic software bill of materials (SBOM) generation.

An SBOM is an exhaustive list of all open-source components within an application. Debricked does this work automatically, so that teams understand what they are using — and where. It supports multiple package managers and languages, connects directly with CI/CD pipelines and repositories, and provides real-time insight into your software supply chain.

2. Machine-learning powered CVE scoring.

Not all vulnerabilities are the same. Some are theoretical, others are in use right now. Debricked uses machine learning models to score and rank CVEs by exploitability and real-world risk, allowing security teams to focus on threats that require attention. It removes noise and false positives, helps prioritise patching of large codebases, and automatically refreshes as new threats are found.

3. Licence compliance and legal risk mitigation.

Debricked scans all open-source modules and alerts on license types that are not compatible with your business model. This is necessary to prevent legal exposure and to safeguard intellectual property rights.

It flags incompatible or risky licences, such as copyleft licenses (e.g., GPL, LGPL), which require that derivative works or modifications of the original code be distributed under the same licence. In this manner, the code and any enhancements to the code remain open and freely available. It also delivers actionable, clear licence compliance findings and assists legal and compliance teams with audit-ready reporting.

4. Open-Source Health Metrics.

Would you build your business on software that is no longer maintained? Debricked provides an overview of the health and activity level of all packages you are using, including community engagement, frequency of updates, release history, issue tracker activity, and red flags for packages on the verge of abandonment.

This enables developers to make better decisions when selecting dependencies and reduces long-term technical debt.

One complete security solution

While Debricked excels at managing open-source components, applications are often built on custom code as well. That is where Fortify, another OpenText offering, comes in, offering end-to-end static, dynamic, and mobile application security testing (SAST, DAST, MAST). With this two-pronged solution, your entire code set — both proprietary and third-party — is safeguarded, tracked, and governed with minimal impact on developer productivity.

Why it matters more than ever today

As threats evolve and regulators ramp up compliance requirements, South African organisations—particularly those in the financial, healthcare, and public sectors — can no longer take open-source security and licence management at face value.

● POPIA and GDPR necessitate end-to-end accountability in the processing and securing of data.

● Banks are under greater scrutiny in terms of software supply chains and risk exposure.

● Product developers and teams need technology that does not constrain them, but facilitates secure, compliant innovation.

In an era where software underpins every facet of business, the strategic approach is to integrate security and governance into the process, rather than treating them as an afterthought.

For more information contact iOCO, +27 11 607 8100, [email protected], ioco.tech




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Highest increase in global cyberattacks in two years
Information Security News & Events
Check Point Global Research released new data on Q2 2024 cyber-attack trends, noting a 30% global increase in Q2 2024, with Africa experiencing the highest average weekly per organisation.

Read more...
DeepSneak deception
Information Security News & Events
Kaspersky Global Research & Analysis researchers have discovered a new malicious campaign which is distributing a Trojan through a fake DeepSeek-R1 Large Language Model (LLM) app for PCs.

Read more...
Fastest PCIe Gen 5.0 NVMe SSD
Products & Solutions Infrastructure
Sandisk has unveiled the WD_BLACK SN8100 NVMe SSD with PCIe Gen 5.0 technology, an internal SSD delivering speeds up to 14 900 MB/s and capacities up to 4 TB, with 8 TB solutions available soon.

Read more...
SA’s strained, loadshedding-prone grid faces cyberthreats
Power Management Information Security
South Africa’s energy sector, already battered by decades of underinvestment and loadshedding, faces another escalating crisis; a wave of cyberthreats that could turn disruptions into catastrophic failures. Attacks are already happening internationally.

Read more...
Unified storage solution
Products & Solutions Infrastructure
CASA Software has announced the local availability of Nexsan’s upgraded unified storage solution, Unity NV4000, which is ideal for mixed workloads, from virtualisation and video surveillance to secure backup and recovery.

Read more...
Almost 50% of companies choose to pay the ransom
News & Events Information Security
This year’s Sophos State of Ransomware 2025 report found that nearly 50% of companies paid the ransom to get their data back, the second-highest rate of ransom payment for ransom demands in six years.

Read more...
Survey highlights cost of cyberdamage to industrial companies
Kaspersky Information Security News & Events
The majority of industrial organisations estimate their financial losses caused by cyberattacks to be over $1 million, while almost one in four report losses exceeding $5 million, and for some, it surpasses $10 million.

Read more...
Digital economy needs an agile approach to cybersecurity
Information Security News & Events
South Africa is the most targeted country in Africa when it comes to infostealer and ransomware attacks. Being at the forefront of the continent’s digital transformation puts South Africa in the crosshairs for sophisticated cyberattacks

Read more...
SIEM rule threat coverage validation
Information Security News & Events
New AI-detection engineering assistant from Cymulate automates SIEM rule validation for SecOps and blue teams by streamlining threat detection engineering with automated testing, control integrations and enhanced detections.

Read more...
Cybersecurity a challenge in digitalising OT
Kaspersky Information Security Industrial (Industry)
According to a study by Kaspersky and VDC Research on securing operational technology environments, the primary risks are inadequate security measures, insufficient resources allocated to OT cybersecurity, challenges surrounding regulatory compliance, and the complexities of IT/OT integration.

Read more...










While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.




© Technews Publishing (Pty) Ltd. | All Rights Reserved.