Report Highlights Open Source Risks

- A significant 95% of open source software vulnerabilities are discovered in transitive dependencies, which are packages indirectly pulled into a project, making risk assessment difficult for developers. - The Digital Operational Resilience Act (DORA) now requires financial institutions and their critical third-party technology providers to implement stringent guidelines for ICT risk management, including the resilience of the software supply chain. - In 2023, the first recorded open-source software supply chain attacks specifically targeting the banking sector were detected, involving malicious code embedded within OSS components to gain unauthorized access. - The use of AI coding assistants introduces new risks; a 2025 analysis found that only one in five dependency versions recommended by these tools were safe, with 44-49% of AI-suggested dependencies containing known security vulnerabilities. - A recent analysis of over 10,000 GitHub repositories highlighted the immaturity of the Model Context Protocol (MCP) server ecosystem, with 75% of these servers being built by individuals, often lacking enterprise-level security safeguards. - In the financial services and fintech sectors, 66% of audited codebases were found to have open source license conflicts, which can arise from transitive dependencies and create legal and intellectual property risks. - The average software application relies on more than 500 open source components, a 77% increase over two years, with open source comprising over 75% of the total codebase. - Analysis shows that while 71% of a typical Java application's code comes from open source components, developers often only use about 12% of the code they import, increasing the attack surface unnecessarily.