Open source code can also be open risk

Issue 3 2025 Information Security, Infrastructure

Software development has fundamentally changed over the years. Agile approaches, rapid release cycles, and DevOps culture have transformed how software is created and released. However, amid this changing environment, one truth has gradually emerged: open-source code is increasingly forming the basis of modern applications. Estimates based on surveys indicate that 60 – 90% of the average application's code base consists of open-source components. It is not a factor of convenience, it is a necessity for innovation, speed, and economic viability, but with all the big adoption, there comes an admittedly under-recognised truth: open source introduces risk.

The question is not whether you are using open-source code, but rather whether you are doing it in a practical and managed way. That is where Debricked, a company within OpenText, comes into the picture. Debricked is becoming an essential solution in the modern secure software development lifecycle. Below, I explore why that is the case.


Wehann-Kritzinger.

The open source problem no one is talking about

Despite the many benefits of open-source software, it raises unique problems that most organisations would rather ignore:

Lack of transparency: Most projects have no complete list of all their open-source components.

Security vulnerabilities: Open-source packages may contain known Common Vulnerabilities and Exposures (CVEs). If these vulnerabilities are publicly disclosed but not yet patched or mitigated, they present an opportunity for attackers to exploit them during this window of exposure

License compliance: Failure to comply with open-source licenses (e.g., GNU General Public License (GPL), Massachusetts Institute of Technology (MIT), or Apache) would mean costly legal problems.

Abandonware risk: The vast majority of packages are unmaintained or inactive, rendering them a liability when bugs infiltrate or exploits take place.

These are not abstract concerns; they have real-world implications. Examples include the infamous Log4j vulnerability and attacks on software supply chains, such as the SolarWinds breach. Essentially, the consequences of uncontrolled open-source use are history.

Demystifying open source

Debricked is designed to help development, security, and legal teams make improved, faster, and safer open-source code choices. It achieves this by providing a collection of features that address the threats and inefficiencies associated with wild open-source usage.

1. Automatic software bill of materials (SBOM) generation.

An SBOM is an exhaustive list of all open-source components within an application. Debricked does this work automatically, so that teams understand what they are using — and where. It supports multiple package managers and languages, connects directly with CI/CD pipelines and repositories, and provides real-time insight into your software supply chain.

2. Machine-learning powered CVE scoring.

Not all vulnerabilities are the same. Some are theoretical, others are in use right now. Debricked uses machine learning models to score and rank CVEs by exploitability and real-world risk, allowing security teams to focus on threats that require attention. It removes noise and false positives, helps prioritise patching of large codebases, and automatically refreshes as new threats are found.

3. Licence compliance and legal risk mitigation.

Debricked scans all open-source modules and alerts on license types that are not compatible with your business model. This is necessary to prevent legal exposure and to safeguard intellectual property rights.

It flags incompatible or risky licences, such as copyleft licenses (e.g., GPL, LGPL), which require that derivative works or modifications of the original code be distributed under the same licence. In this manner, the code and any enhancements to the code remain open and freely available. It also delivers actionable, clear licence compliance findings and assists legal and compliance teams with audit-ready reporting.

4. Open-Source Health Metrics.

Would you build your business on software that is no longer maintained? Debricked provides an overview of the health and activity level of all packages you are using, including community engagement, frequency of updates, release history, issue tracker activity, and red flags for packages on the verge of abandonment.

This enables developers to make better decisions when selecting dependencies and reduces long-term technical debt.

One complete security solution

While Debricked excels at managing open-source components, applications are often built on custom code as well. That is where Fortify, another OpenText offering, comes in, offering end-to-end static, dynamic, and mobile application security testing (SAST, DAST, MAST). With this two-pronged solution, your entire code set — both proprietary and third-party — is safeguarded, tracked, and governed with minimal impact on developer productivity.

Why it matters more than ever today

As threats evolve and regulators ramp up compliance requirements, South African organisations—particularly those in the financial, healthcare, and public sectors — can no longer take open-source security and licence management at face value.

● POPIA and GDPR necessitate end-to-end accountability in the processing and securing of data.

● Banks are under greater scrutiny in terms of software supply chains and risk exposure.

● Product developers and teams need technology that does not constrain them, but facilitates secure, compliant innovation.

In an era where software underpins every facet of business, the strategic approach is to integrate security and governance into the process, rather than treating them as an afterthought.

For more information contact iOCO, +27 11 607 8100, [email protected], ioco.tech




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Hytera supports communication upgrade for Joburg
News & Events Infrastructure Government and Parastatal (Industry)
By equipping Johannesburg’s metro police and emergency services with multimode radios which integrate TETRA and LTE networks, Hytera is bridging coverage gaps and improving response times across the city.

Read more...
Want effective Attack Surface Management? Think like an attacker.
Information Security
Effective ASM requires companies to think like attackers, anticipate risks, and act decisively to reduce exposure by knowing their environment, deploying a structured approach, leveraging capable tools, and addressing both internal and external risks.

Read more...
The growing role of hybrid backup
Infrastructure Information Security
As Africa’s digital economy rapidly grows, businesses across the continent are facing the challenge of securing data in an environment characterised by evolving cyberthreats, unreliable connectivity and diverse regulatory frameworks.

Read more...
POPIA non-compliance puts municipalities at risk
Information Security Government and Parastatal (Industry)
Digital responsibility must go beyond POPIA compliance to recognising that privacy and service delivery are fundamentally linked. Despite this, only 51 out of 257 municipalities submitted their mandatory data protection and access to information reports in 2024.

Read more...
Choicejacking bypasses smartphone charging security
News & Events Information Security
Choicejacking is a new cyberthreat that bypasses smartphone charging security defences to confirm, without the victim’s input or consent, that the victim wishes to connect in data-transfer mode.

Read more...
Most wanted malware
News & Events Information Security
Check Point Software Technologies unveiled its Global Threat Index for June 2025, highlighting a surge in new and evolving threats. Eight African countries are among the most targeted as malware leaders AsyncRAT and FakeUpdates expand.

Read more...
IoT-driven smart data to stay ahead
IoT & Automation Infrastructure AI & Data Analytics
In a world where uncertainty is constant, the real competitive edge lies in foresight. Businesses that turn real-time data into proactive strategies will not just survive, they will lead.

Read more...
Hydrogen is green but dangerous
Fire & Safety Infrastructure Power Management
Hydrogen infrastructure is developing quickly, but it comes with safety challenges. Hydrogen is flammable, and its small molecular size means it can leak easily. Additionally, fires caused by hydrogen are nearly invisible, making them difficult to detect and respond to.

Read more...
Welcome to the new cyber battleground
Information Security
The Iran-Israel conflict is rapidly redefining modern warfare, pushing the boundaries of cyber capabilities and creating a new, borderless digital battlefield. Fortinet’s CISO, Dr Carl Windsor, offers a critical, in-depth analysis of the escalating tactics and global implications in his latest report.

Read more...
A whole-site solution to crack the data centre market
Fire & Safety Infrastructure Facilities & Building Management
Fire safety consultants and contractors who can offer a comprehensive fire safety solution to the data centre market can establish themselves as a supplier of a key safety features that help guarantee the smooth operation of critical infrastructure.

Read more...










While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.




© Technews Publishing (Pty) Ltd. | All Rights Reserved.