Kubernetes and cloud-native computing sit squarely in the middle of a seismic shift in the last decade toward enterprise use of open source — and all the software supply chain security concerns that come with it.

This open source shift isn’t piecemeal: Four of the 17 industry sectors represented in the 2022 edition of an annual “Open Source Security and Risk Analysis” report by Synopsys include open source in 100% of their codebases; the remaining 13 industries use open source in 93% to 99% of their codebases.

Meanwhile, since the SolarWinds attack in late 2020, a series of high-profile exploits in open source code has revealed the far-reaching cybersecurity implications of its convoluted supply chains. In late 2021, the Log4j vulnerability exposed how open source libraries wrapped up in other dependencies could be used in potentially devastating and difficult-to-detect attacks, as enterprises had trouble determining whether vulnerable libraries were present in their environments, and where.

Against this backdrop, Kubernetes itself remains a relatively safe haven because of its large, highly invested community, according to the Synopsys report. But plenty of other open source components are involved in the Kubernetes ecosystem, including small, single-developer projects, whose maintenance — or lack thereof — can leave the wider platform vulnerable.

“GitHub has millions of projects in which the number of developers is in the single digits,” according to the Synopsys report. “One of the takeaways from Log4Shell’s discovery should be the need to create a path to mitigate the business risk associated with using open source software. The important distinction here is that open source itself doesn’t create business risk, but its mismanagement does.”