New Initiative Tackles Security for End-of-Life Open Source Software

APPLICATION SECURITY CYBER RISK Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know. New Initiative Tackles Security for End-of-Life Open Source Software The Open Source Sustainability Initiative's goal is to help enterprises manage and secure aging open source projects while maintaining regulatory compliance. Arielle Waldman,Features Writer,Dark Reading June 26, 2026 4 Min Read SOURCE: WAVE BREAK VIDEO VIA ALAMY STOCK PHOTO The Commonhaus Foundation launched a new collaborative program this week to help enterprises manage open-source software projects as they enter end-of-life (EOL). The Open Source Sustainability Initiative (OSSI) is the Commonhaus Foundation's latest effort to champion and maintain open-source projects.   As enterprises consume multiple open source projects into their environment, they have to keep track of new versions as they are released and apply security fixes promptly. This maintenance challenge becomes even more difficult with software EOL, especially when there are vulnerabilities that were not patched before EOL, or new vulnerabilities that were found later.  The number of reported CVEs [Common Vulnerabilities and Exposures] is skyrocketing, while help is diminishing. The decision by the National Institute of Standards and Technology to change how it handles CVEs earlier this year was a big hit to the open source software ecosystem. Related:SBOMs in 2026: Some Love, Some Hate, Much Ambivalence OSSI is necessary because EOL software doesn't stop running just because its maintainers have moved on, explains Erin Schnabel, chair of the Commonhaus Foundation. "We kept seeing the same patterns across our projects: companies running EOL software they couldn't yet upgrade, and CVEs still coming in against it," Schnabel tells Dark Reading. The initiative's goal is to improve "lifecycle transparency and collaboration between maintainers, foundations, ecosystem partners, and the broader open source community", according to the press release. That means answering a seemingly simple, yet complex question: What do these organizations need? That may be CVE remediation, help migrating to updated releases, staying compliant with ever-evolving regulations, or, more likely, all of the above. All Roads Lead to EOL Components per application have increased 30% year-over-year, according to Black Duck's 2026 Open Source Security and Risk Analysis Report. "Open-source is now effectively universal in commercial software," and "the mean number of open-source vulnerabilities per codebase has more than doubled," Black Duck added. Enterprises are spending so much time modernizing and keeping up to date with open source software lifecycle management that it's getting in the way of work, explains Rob Nalen, COO of HeroDevs, a founding member. HeroDevs helps provide companies with vetted options for staying secure without expecting project volunteers to support releases forever. The amount of work being put on open source software communities is "frankly insurmountable," Nalen adds.  Related:Robinhood Cuts Access Approval Time to Support High-Velocity Development Nalen attributes some of the pressure on open source developers to the fact that artificial intelligence (AI) is being used to write code and find vulnerabilities. AI is finding vulnerabilities faster than teams can fix them. "There's a race between AI being used to find and exploit CVEs, and communities and enterprises trying to keep up" as they try to determine whether the flaws have already been identified and how to patch them, Nalen says. And once a project enters EOL, the maintainers stop providing updates, even as new vulnerabilities arise. This is one area where AI may be useful in modernizing the application. While it's a great accelerator, says Nalen, it is not a replacement when it comes to modernization.  AI can do repetitive work like rewriting deprecated code, and applying known patters, however trouble starts at the framework level, he adds. For example, it doesn't look at downstream dependencies during development and can hallucinate. "Bear in mind that AI can update the code in seconds, but what it struggles with is rewriting the hundreds of third-party libraries underneath, especially those that haven't made the same version bump, without breaking anything," he says. 'Red Flags Are Not Okay Anymore' Addressing EOL issues helps enterprises reduce security incidents by limiting at least some attack vectors. It also supports their compliance with the U.S.'s PCI DSS or the European Union's Digital Operational Resilience Act (DORA) – industry standards and regulatory requirements designed to ensure everyone's infrastructure is safe. PCI DSS 4.0 requirement 12.3.4 states organizations must review software (as well as hardware) annually to ensure the technologies did not reach EOL. If they are using legacy software they must develop a remediation plan.   Related:Apple's MacOS Gap Lets Users Disable Security Tools Nolan observes that many engineers are okay with "red flags" in software development, which could include leaving flaws unpatched, if the applications still work correctly. But with cyberattacks and data breaches increasing, that tolerance for shipping unpatched code is disappearing. "Security leaders [are] now coming in saying that red flag isn’t going to work anymore," Nolan says.  About the Author Arielle Waldman Features Writer, Dark Reading Arielle spent the last decade working as a reporter, transitioning from human interest stories to covering all things cybersecurity related in 2020. Now, as a features writer for Dark Reading, she delves into the security problems enterprises face daily, providing context and actionable steps. She looks for stories that go past the initial news to understand where the industry is going. Her coverage areas include identity and access management, cyber risk and operations, industrial control systems, operational technology, and ransomware trends.     She previously lived in Florida where she wrote for the Tampa Bay Times before returning to Boston where her cybersecurity career took off at TechTarget SearchSecurity. When she's not writing about cybersecurity, she pursues personal projects that include a mystery novel and poetry collection.     Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports The total economic impact™ of Snyk How Organizations Are Managing Incident Response How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy Essential News & Insights from Black Hat USA 2025 Access More Research Webinars Building a Risk Based Vulnerability Management Program Threat Hunting That Gets Big Results Despite Small Budgets Say Yes to AI: Securing Innovation Without Compromise Zero Trust Identity: Beyond Traditional Authentication Advanced Persistent Threats: A Practical Guide to Detection and Response More Webinars You May Also Like APPLICATION SECURITY Supply Chain Attack Secretly Installs OpenClaw for Cline Users by Rob Wright FEB 19, 2026 APPLICATION SECURITY Chinese Hackers Hijack Notepad++ Updates for 6 Months by Jai Vijayan FEB 02, 2026 APPLICATION SECURITY Trump Administration Rescinds Biden-Era Software Guidance by Alexander Culafi JAN 29, 2026 APPLICATION SECURITY Microsoft Fixes Exploited Zero Day in Light Patch Tuesday by Jai Vijayan, Contributing Writer DEC 09, 2025 Edge Picks APPLICATION SECURITY AI Agents in Browsers Light on Cybersecurity, Bypass Controls CYBER RISK Browser Extensions Pose Heightened, but Manageable, Security Risks CYBERSECURITY OPERATIONS Video Convos: Agentic AI, Apple, EV Chargers; Cybersecurity Peril Abounds ENDPOINT SECURITY Extension Poisoning Campaign Highlights Gaps in Browser Security Latest Articles in The Edge CYBERATTACKS & DATA BREACHES EdTech Attackers Shift From Schools to Their Software Suppliers JUN 25, 2026 CYBER RISK He Thought He Was Secure; His Phone Number Was Stolen Anyway JUN 22, 2026 CYBER RISK Most CISOs Report Pressure to Bury Bad Security News JUN 15, 2026 CYBER RISK AI Risk Worries Insurers & Businesses Alike JUN 10, 2026 Read More The Edge Want more Dark Reading stories in your Google search results? BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS