Why Vulnerabilities Aren’t Enough: Threat Hunting Your Open Source Code

If you’ve been in the security universe for the last few decades, you know we love a good vulnerability scanner. We’re great at finding known bads. We have very mature practices to hunt for CVEs, malware, and leaked secrets. But here’s the thing about modern software development: the trend continues, where deployed applications are composed mostly of open-source software. 

We treat our own proprietary code like a prized possession. We run QA, we enforce secure development practices, we fuzz it, we review it before it ever hits production. But what about the rest of the application? We just sort of trust it. Sure, we check the specific version of an open source dependency to see if it has a CVE, but we rarely look deeply at the qualities of the open-source project itself through the lens of security. 

Relying purely on vulnerability databases to measure risk is a systemic problem. A lack of CVEs doesn’t mean a piece of software is safe to use; it just means it doesn’t have a known CVE registered against it. 

The Threat Intelligence Gap

Let’s step back and see what the state of threat intelligence actually is. A solid threat hunting practice relies on high-quality data. But if you’re only looking at whether FUBAR version 1.0 has a known CVE or leaked credentials, you’re missing the bigger picture.

What if the project itself has been abandoned by its maintainers for three years? What if it’s End of Life? What if the project does have vulnerabilities, but the maintainers take an average of six months to actually ship a fix?

Or worse, what if the project doesn’t even exist? We’re seeing a fascinating and terrifying new threat vector right now: AI code generators hallucinating dependencies. An AI might write a script and confidently suggest import YAML instead of the actual, real-world project, PyYAML. A malicious actor sees that hallucination, creates a fake project named YAML loaded with malicious code, and waits for a developer to blindly copy-paste the AI’s output.

These aren’t theoretical problems. This is the new reality of the software supply chain. But traditional scanners won’t catch these issues because there’s no CVE for “project was created yesterday by a name-squatter.”

What is Anchore doing?

Our Chief Research Officer, Daniel Nurmi, recently gave a fantastic presentation with the goal to figure out how to evaluate open-source projects using the same rigorous criteria we apply to our own applications.

At Anchore, we’ve been building a data-gathering pipeline to solve this. It starts with a Software Bill of Materials (SBOM). We take that list of ingredients, go out into the messy reality of the internet, and find the canonical source of truth for those projects (like their GitHub repository).

From there, we can normalize the data and extract some really useful insights:

• Boolean metrics: Does the project actually exist (DNE)? Is it End of Life (EOL)?
• Time-based metrics: How old is the project? When was the last release? What’s the cadence for fixing security issues?
• Qualitative metrics: Are there active maintainers, or is it a ghost town?

But throwing more data at developers doesn’t fix systemic problems, it’s just an increasing amount of noise. Therefore we here at Anchore gather the metrics and apply a flexible scoring technique. A project that “Does Not Exist” or is EOL bubbles right to the top of the risk list, because those are massive red flags that need immediate attention.

Watch Dan’s talk to see how this actually works and how we catch AI-hallucinated packages before they introduce risk into an environment.

Ready to stop guessing what’s in your code?

It’s easy to be a cynic about supply chain security, but the truth is you can’t secure what you don’t understand. If you’re ready to stop wondering what’s lurking in your dependencies, we are here to help. Anchore’s SBOM-powered platform gives you the comprehensive visibility you need to actually manage your software supply chain risk.

From automatically generating accurate SBOMs to continuous vulnerability scanning and advanced policy enforcement, we give you the actionable data to find hidden threats and achieve compliance by default. Whether you need to rapidly detect zero-days, manage imported third-party SBOMs, or automate policy checks for frameworks like NIST and FedRAMP, we have you covered.

Reach out to our team and request a demo to get started.