If you don’t think you’re using open-source software (OSS) right now, think again. The Linux Foundation estimates that open source constitutes 70-90% of modern software. Consider the Linux kernel, the Apache web server, or the numerous open-source libraries supporting modern cloud infrastructure — it’s clear that the world now depends on open-source software to function. Yet, what isn’t clear are the security measures to prevent problems with these packages.
In recent years, we’ve seen open-source vulnerabilities rise into the public discourse. Exploits affecting major open-source projects, like Log4j or Spring4Shell, threaten the software supply chain at large. There’s also the issue of typosquatting and corrupt contributions to open-source projects. Open source relies on community contributions — yet verifying authenticity for millions of communal commits is inherently challenging to oversee — especially when many of these maintainers are hobbyists or contribute to open-source projects on the side of their day jobs.
Here’s a catch-22: If you don’t use open source, you’re not evolving. Yet if you do, you open your business to known and unknown vulnerabilities. I recently met with Aakash Shah, co-founder of cloud-native security company oak9, to consider what the industry needs to mature open-source security. According to Shah, the root issue these projects face is a lack of resources. As such, he believes large enterprises should invest more to support the open-source projects they rely upon.
Where’s the Support?
Not enough people understand that we live in a world that runs on open-source software. Shah credits the explosion of digital technology usage over the last 20 years primarily to the accessibility of free OSS. Nowadays, all major cloud service providers are built on open-source components, too. The question of whether or not we should use open-source is misguided when we are this deep in the proverbial open-source waters.
“Big Tech” companies such as Amazon, Google, and Microsoft have contributed core projects and invested considerably in sustaining these projects. Yet, on the whole, this amount of investment, especially into open-source security, is a drop in the bucket, says Shah. Most companies expect a “free lunch” from OSS yet don’t contribute resources to maintaining it.
A study conducted by Digital Ocean supports this notion. It found that although 75% of developers say their companies expect them to use open source as an integral part of their job, 66% must work on open source in their spare time. If a core maintainer leaves their full-time employment (which often happens, as engineering turnover is rampant), who then is supporting the maintenance of said projects?
Most enterprises don’t always have the mechanisms to support OSS, which is “one of the big core issues,” describes Shah. And when things go wrong, end users blame the project maintainers, even though supporting the project is not their full-time occupation. “It’s surprising to see things directed at them,” says Shah. “What they should be doing as citizens is contributing back.”
Open-Source Threats
Open-source packages face a multitude of unique vulnerabilities that hackers might exploit for differing ambitions. For example, a handful of instances are benign — white hat hackers have been known to make corrupt contributions simply to “generate awareness” around what’s possible. However, other potential risks are more severe, presenting threats such as ransomware, data downloads, denial-of-service attacks, and crypto-jacking.
“A lot of OSS can essentially be altered to capture secrets,” said Shah. With a secret, a hacker could make changes to core cloud infrastructure, opening many avenues of attack. At this point, an attacker could divulge sensitive information such as payment details or healthcare information to resell. Or they might seek to leech computing or storage from an unknowing host. As hyperscalers are dependent upon OSS, it potentially puts their customers at risk, too. And these risks are all-too-common — for evidence, just check out this list of all the publicly disclosed vulnerabilities from major public cloud providers. Shah asks: “If AWS, GCP, or Azure have these security issues, what does it mean for businesses that operate on them?”
Organizations continually are opting to give developers increased control over the entire release management lifecycle. This includes lending developers the freedom to use their favorite language, framework, or even cloud platform of choice. Yet, flexible multi-cloud strategies could potentially exacerbate the open-source security dilemma. Since procuring cloud technology relies on much OSS, multi-cloud essentially equates to a larger surface area to protect, says Shah.
Next Steps: Maintaining OSS Integrity
To maintain the integrity of open-source projects, every industry must be contributing back to open-source initiatives, says Shah. One strategy to uphold OSS integrity is to ensure the identity of contributors. This can be challenging with open-source projects since they rely on much communal input. Yet, the potential consequences of inaction are dire. For example, certain states may look to OSS as a vector to enhance their cyberwarfare capabilities by making malicious changes to core projects. This could, in turn, cripple a nation’s infrastructure.
To maintain code quality, maintainers must catch malicious code early on, and suspicious commits should be tagged and reviewed. Code signing, says Shah, could also go a long way to ensure the integrity of repositories and package managers. One standard gaining momentum to protect the cloud-native software supply chain is Sigstore, a method to bring cryptographic software signing to any digital artifact to prove it hasn’t been altered. Efforts like this will be required to secure the open-source pipeline as a whole.
Treat OSS as a Public Utility
“We have the maturity in the industry to protect open-source software, but it’s really a matter of open-source projects not having the resources,” said Shah. “That’s where I really see the gap.” Instead of viewing open source as a free lunch, it should be thought of as the “public utilities we all depend upon,” said Shah.
Enacting this change will require thought leaders to lead initiatives that drive improvements to open source and encourage enterprises to invest additional resources in the form of capital and expertise. Through these means, the ecosystems could be matured significantly.
Want more cybersecurity insights? Subscribe to the Cybersecurity as a Business Enabler channel:
