About Us

Laser Focus World is an industry bedrock—first published in 1965 and still going strong. We publish original articles about cutting-edge advances in lasers, optics, photonics, sensors, and quantum technologies, as well as test and measurement, and the shift currently underway to usher in the photonic integrated circuits, optical interconnects, and copackaged electronics and photonics to deliver the speed and efficiency essential for data centers of the future.

Our 80,000 qualified print subscribers—and 130,000 12-month engaged online audience—trust us to dive in and provide original journalism you won’t find elsewhere covering key emerging areas such as laser-driven inertial confinement fusion, lasers in space, integrated photonics, chipscale lasers, LiDAR, metasurfaces, high-energy laser weaponry, photonic crystals, and quantum computing/sensors/communications. We cover the innovations driving these markets.

Laser Focus World is part of Endeavor Business Media, a division of EndeavorB2B.

Laser Focus World Membership

Never miss any articles, videos, podcasts, or webinars by signing up for membership access to Laser Focus World online. You can manage your preferences all in one place—and provide our editorial team with your valued feedback.

Magazine Subscription

Can you subscribe to receive our print issue for free? Yes, you sure can!

Newsletter Subscription

Laser Focus World newsletter subscription is free to qualified professionals:

The Daily Beam

Showcases the newest content from Laser Focus World, including photonics- and optics-based applications, components, research, and trends. (Daily)

Product Watch

The latest in products within the photonics industry. (9x per year)

Bio & Life Sciences Product Watch

The latest in products within the biophotonics industry. (4x per year)

Laser Processing Product Watch

The latest in products within the laser processing industry. (3x per year)

Get Published!

If you’d like to write an article for us, reach out with a short pitch to Sally Cole Johnson: [email protected]. We love to hear from you.

Photonics Hot List

Laser Focus World produces a video newscast that gives a peek into what’s happening in the world of photonics.

Following the Photons: A Photonics Podcast

Following the Photons: A Photonics Podcast dives deep into the fascinating world of photonics. Our weekly episodes feature interviews and discussions with industry and research experts, providing valuable perspectives on the issues, technologies, and trends shaping the photonics community.

Social Media

BlueskyFacebookInstagram LinkedIn • YouTube

Meet the Laser Focus World Team

Editorial

Sales

Editorial Advisory Board

  • Professor Andrea M. Armani, University of Southern California
  • Ruti Ben-Shlomi, Ph.D., LightSolver
  • James Butler, Ph.D., Hamamatsu
  • Natalie Fardian-Melamed, Ph.D., Columbia University
  • Justin Sigley, Ph.D., AmeriCOM
  • Professor Birgit Stiller, Max Planck Institute for the Science of Light, and Leibniz University of Hannover
  • Professor Stephen Sweeney, University of Glasgow
  • Mohan Wang, Ph.D., University of Oxford
  • Professor Xuchen Wang, Harbin Engineering University
  • Professor Stefan Witte, Delft University of Technology
My Watchlist
Indicators
Industrial Laser Index
Markets
Stocks
ETFs
Tools
Markets:
Overview
News
Currencies
International
Treasuries

Danger of Open-source Software

By: Syndication Cloud

Originally Posted On: https://blog.axellio.com/danger-of-open-source-software

 

The Danger of Open-source Software

In part two of the “Two Factors that Affect Software Security” blog series, we’ll dive deeper into open-source software (OSS). OSS has become very popular these days. However, as with most things, there is a “trade-off curve”. While the use of OSS can drive down product creation costs and improve time to market, software security and product integrity risks increase substantially with its use. This is because of one fundamental error in thinking – that the OSS components will have been properly and rigorously reviewed by “others.” Often, this is probably not the case for the same reason that this engineering team wants to use OSS in the first place – they don’t have time to create and rigorously test code; and are hoping others have done it for them. This is why the dependence on OSS is creating real concerns about national security and data privacy. 

A Dark Reading article from 2022 showed that the idea of rigorous testing isn’t true. Researchers at Johns Hopkins University conducted a study on a popular library of code called Node.js. They discovered 180 zero-day vulnerabilities across the Node.js libraries they examined. There were several security vulnerabilities including injection flaws and cross-site scripting. Seventy of the flaws were assigned their own common vulnerabilities and exposures (CVE) identifier.   

Another example is the Log4Shell vulnerability that was found in the Log4j library in 2021. The Apache Log4j is a popular Java library for logging error messages in applications. The vulnerability, originally published as CVE-2021-44228, ended up having three more related vulnerabilities. Again, just because a piece of software was reviewed by a group, doesn’t mean it’s safe.

A Synopsis 2024 Open Source Security and Risk Analysis Report found even more bad news. Here are some highlights: 

  • 84% of codebases assessed for risk contained vulnerabilities 
  • 74% of codebases assessed for risk contained high-risk vulnerabilities 
  • 91% of codebases contain components that have had no new development in over two years 
  • 91% of the codebases assessed for risk contained components that were 10 versions or more behind the most current version of the component 
  • 89% of codebases contain OSS that is more than 4 years out of date 
  • The average number of open-source components in a given application this year was 526 
  • 54% increase in codebases containing high-risk vulnerabilities over the past year was found 
  • 14% of the codebases assessed for risk contained vulnerabilities older than 10 years 

A key point exposed by the Synopsis report is the update process for OSS code. What happens to the code after a year, two years, and more. Does anyone go back and update it to eliminate (or at least reduce) software vulnerabilities? While there are some examples of this, the Synopsis report found that 91% of codebases contain components that did not have any new development updates in over two years. The report did show that the number improved by 2 points (dropping to 89%) for code that was 4 years or so out of date.

So, based upon the Synopsis results, there is clear concern with the use of OSS. Especially since the National Bureau of Economic Research estimates that over 90% of Fortune 500 companies are actively using OSS. This potentially puts a lot of American enterprises, and the US government buying those solutions, at a heavy risk for hidden security and operational flaws. In fact, OWASP is so concerned that we still lack a holistic approach to OSS risk management that encompasses security, legal, and operational aspects that they created a top 10 list of security and operational issues associated with the use of OSS. 

These facts and figures should make any purchasing team nervous. While the vendor may sign off on their software, if they are using OSS, there’s a chance your network could be compromised in the future. One of the best ways to avoid the situation is to buy software solutions that do not heavily rely on OSS. While a usage of 0% OSS is technically possible, you will be hard pressed to find a manufacturer that does not use any OSS. 

A reduced OSS dependency plan gives you two clear benefits. First, you have a substantial possibility of reducing your security risk by not using potentially compromised software. Second, bad actors are generally less inclined to spend time trying to attack proprietary code. There is little in it for them. It takes a lot of time to analyze the code for defects; and even harder for them to get their hands on proprietary code in the first place. It’s so much easier to analyze OSS for flaws, then find products using that OSS, and then attack multiple company products that use that same code. Once they have found an OSS defect, they can literally attack 5, 10, or more products by exploiting the one or two defects that they find in the OSS code. 

Axellio uses United States citizen workers and does not overly rely on the use of open-source code. Axellio carefully manages its use of open-source components and rigorously tests and evaluates the code used to reduce exposure to vulnerabilities. If you want additional information, check out this sales brief.

More News

View More
Why Seagate Is Wall Street's New Favorite AI Infrastructure Play
Via MarketBeat
Topics Artificial Intelligence
Tickers BAC STX
3 AI Infrastructure Stocks With Upside After the Summer Rally
Via MarketBeat
Topics Artificial Intelligence
Tickers AMZN ANET AVGO GOOGL META MSFT
Can Advantage2 Help Overcome D-Wave's Share Price Plateau?
Via MarketBeat
Tickers F GEV NVDA QBTS
Eli Lilly’s Oral GLP-1 Breakthrough Could Change Everything
Via MarketBeat
Tickers LLY
The Fed Cut Rates: What Now for the S&P 500 and Equity Markets?
Via MarketBeat
Topics ETFs Economy Stocks
Tickers NVDA SNOW SPY WDAY
Stock Quote API & Stock News API supplied by www.cloudquote.io
Quotes delayed at least 20 minutes.
By accessing this page, you agree to the following
Privacy Policy and Terms Of Service.