2025's Biggest Challenges In Open-Source Software Supply Chains

Forbes

a day ago

Stephanie Domas is the Chief Information Security Officer (CISO) at Canonical, the creators of the popular Linux operating system, Ubuntu.
What are the most pressing issues for organizations using open-source software (OSS) in 2025? Is it cyberattacks? Cost efficiency? Or is it the disruptions of AI and new tech?
In this article, I'll give my take as a CISO and advise how I'd go about addressing them.
Why Businesses Struggle With Their Open-Source Supply Chain
OSS can be amazing, but software is only as good as its supply chain security. Getting this right can be a complex puzzle, and it's one that most organizations are struggling to solve: our research with IDC revealed that 9 out of 10 organizations would prefer to source packages at the operating system level, yet only 44% of them do so.
Instead, organizations are pulling software from all over the place, and only when they have to, avoiding automatic upgrades to the newest versions. Instead, they prefer to wait until new features are needed or the free updates stop—essentially until things stop working.
This approach exposes organizations to newly discovered vulnerabilities. It also ends up creating more expensive and time-consuming work because the organization has to do intensive, inefficient things like monitoring upstream open source and scanning for vulnerabilities.
Challenges In Managing Vulnerabilities
Patching is hard, but it's much harder when you have demanding SLAs needed to meet market regulations. Managing vulnerabilities across a range of OSS can be time-consuming and requires skilled labor and manual efforts. As every CISO knows, "manual" usually means mistakes in the long run. And if something goes wrong, it could spell disaster for the company: according to Statistica, as of January 2025, just 17 data breaches resulted in over $7 billion in fines.
Our research at Canonical shows that 43% of organizations are concerned about their ability to secure their AI stack. Worse, 60% of organizations have zero or only basic security controls to safeguard their AI/ML systems. This sort of exposure is unacceptable: not securing your AI systems runs the risk of package hallucination attacks, prompt injection or even exposure of your valuable IP.
The market is being disrupted by new cybersecurity regulations, and many organizations struggle to figure out what these mean for their operations and systems.
Look at the EU Cyber Resilience Act (CRA), for example. This new regulatory compliance means that millions of devices will have stricter cybersecurity requirements. The people who make these devices will need to provide detailed documentation, consistent security patches across their device lifecycles, and long-term reporting and monitoring for vulnerabilities in their devices. The CRA is just one of dozens of cybersecurity regulations that are clamping down on unsecured devices. Navigating this complex landscape is hard.
My Recommendations For Meeting These New Challenges
New innovations in open source are being made every day. In our own teams, we have people building enterprise-level-competitive software for 5G and mobile private networks—something that would have been unthinkable 10 years ago. Still, addressing today's OSS-related risks requires a combination of strategic tooling, process maturity and smart sourcing decisions.
First, streamline how you acquire and manage software packages. Whether you're fully OSS-based or in a hybrid environment, the goal should be reducing fragmented sourcing. One strategy I've found to be effective based on my firsthand experience is to pull packages from a trusted operating system-level repository or work with vendors who assume upstream responsibility for security and compliance.
This approach eases the burden of patching, compliance and vulnerability monitoring, especially in light of new regulations like the CRA. At Canonical, we've committed to meeting CRA manufacturer requirements directly, aiming to help organizations downstream shift compliance responsibility without sacrificing flexibility. The importance of this in the open-source community cannot be understated, as some of the most important software in the world relies on tiny communities that do not have the time or resources to meet onerous cybersecurity regulations.
My work involves directly overseeing security assessments required before enabling some AI tools within our teams' workflows. As a result, I've found it's especially important to be intentional about your AI security posture. Before integrating AI tooling into production workflows, conduct formal assessments to understand what systems it will touch, what data it will process and how its behavior aligns with existing security controls. Don't rush—map out targeted use cases and pilot with guardrails. Experimental adoption is fine, as long as it's paired with rigorous due diligence and clearly defined outcomes.
Finally, keep in mind that innovation doesn't have to come at the cost of security or compliance. Whether you're building edge networks, standing up clouds or managing ML pipelines, OSS can certainly accelerate development and cut costs—but only if paired with disciplined implementation. We've seen organizations slash cloud bills by up to 76% using tools like OpenStack and MicroCloud on existing infrastructure. But the real win comes when that cost-efficiency is matched by secure, well-governed practices that stand up to scrutiny.
Conclusion
To stay competitive in 2025 and beyond, organizations must treat open-source security and compliance as strategic capabilities—not afterthoughts. That means adopting clear processes for sourcing, patching and assessing software, especially as AI adoption grows and regulations tighten.
Whether you're trying to reduce costs, improve scalability or navigate frameworks like the CRA, secure open-source practices can unlock real operational advantages. But those benefits only materialize when paired with intentional governance, smart tooling and a strong understanding of your risk surface. By following these recommendations, you can better ensure you'll be ready for these challenges and more.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?