Open source is systematically being attacked on the infrastructure used to distribute code. In a few years, we’ve experienced attacks on pre-existing vulnerabilities occurring months after a disclosure down to a few days.
Attackers now directly hijack the publisher’s credentials and distribute malicious components.This worrisome trend requires enterprises to have in-depth knowledge of what open source components they’re using and where. Developers must pay close attention to their security.
This new form of attack on our software supply chain, where OSS project credentials are threatened, and malicious code is intentionally pumped into open-source libraries, allows hackers to poison the wellspring. The compromised source code is then downloaded by millions of software developers who unknowingly infect their applications.
The power to speed up software development is evident, but so is the significant room for software infection, when not managed properly.
“The notion that open source software is more secure because it is open to inspection by everyone is quite suspect” says Mike Borza, Chief Technology Officer at Elliptic Technologies, a leading security provider.
While it is true that anyone could inspect the source code of an open-source project, the fact is that few do. We’ve seen this truth play out in the hundreds of manufacturers of security-sensitive equipment like gateway routers.
The heartbleed bug, for example, is a severe vulnerability in the cryptographic software library. The weakness allows stealing the information that is supposed to be protected by the SSL/TLS encryption used to secure the internet.
“Many vendors simply took the OpenSSL source tree and integrated it in their products without ever really analyzing what the software was doing. This amplified the impact of Heartbleed,” continues Borza.
While the OpenSSL project is now adequately funded to handle internal security reviews, a Linux system build incorporates hundreds of packages, many of which may admit vulnerabilities.
“The general issue continues to exist,” warns Borza. Companies must include the addition of hardware-based protection schemes at the device level to augment the existing software-based approaches. The software contributors to these projects must focus on their objectives without introducing accidental (or intentional) vulnerabilities.
Threatrix software can protect your company against supply chain attacks with comprehensive detection, reporting and release gating of high risk components. Our scanning agent installs in seconds and integrates easily into your DevOps pipeline, or source repositories.
We provide complete compliance and risk assessments that go far beyond legacy software composition analysis tools.
