SoS Musings #58 - Bolstering Open Source Software Security

SoS Musings #58 -

Bolstering Open Source Software Security

The term “open source” refers to a component that can be modified and shared by people because it is designed to be publicly accessible. It emerged in the software development context to identify a certain approach to the creation of computer programs. Open source software is defined as software that contains source code that can be inspected, modified, enhanced, and otherwise reused by anyone. The source code is the piece of software most computer users do not see as it is used by programmers to change how a program or application functions. According to Red Hat, there are advantages to using open source software, including transparency, availability, and sustainability. The transparency of open source code allows organizations to understand how the software works, ensure that no undesired functions are built in, and adapt the software to their own needs. As open source software passes through different hands, it exists independently of a single manufacturer and is continuously developing and improving. Since open source code is publicly accessible, students can use it to build their software development skills and easily share their work with others. Security is also considered a benefit despite it frequently being cited as a concern, as the large number of independent developers that contribute to open source projects means there is always someone looking out for suspicious behavior. However, the ubiquity of open source software presents significant security risk, increasing the possibility for vulnerabilities to be intentionally or inadvertently introduced to users. Over the course of 2021, 77 percent of organizations increased their use of open source software. In addition, Synopsys' anonymized audit findings from 1,546 codebases across 17 different industries revealed that 98 percent of codebases contained open source code, which composed 75 percent of all codebases. Over 80 percent of the codebases were discovered to contain at least one vulnerability with an average of 158 per codebase. Therefore, it is essential to explore and increase efforts towards improving open source software security.

Executing attacks using open source code is appealing to malicious actors because it can be far-reaching and highly effective. Various methods could be used to hide malicious changes made to open source projects, and the level of thoroughness in reviewing code for security weaknesses differs across projects, potentially leading to significant vulnerabilities being distributed and included in software deployed by many companies. The Log4j vulnerability is one of the most notable examples of risks presented by open source code. Log4j is a widely used Java-based open source logging framework that developers employ to keep track of errors among a system and/or application’s activities. Exploiting the vulnerability in the open source logging software could result in the takeover of computer servers, potentially leaving consumer electronics, government systems, and corporate systems at risk of cyberattacks.

Veracode's 2021 “State of Software Security v11: Open Source Edition” report that focused on the security of open source libraries, includes an analysis of over 86,000 repositories containing more than 301,000 unique libraries. An open source library is a library with an open source license, denoting software that is free to reuse, modify, and publish without permission. Results shared in the report further highlight that although open source libraries are the foundation of nearly all software, it is not a solid foundation as it is constantly evolving and shifting. Development practices often do not adapt to the constantly changing foundation provided by open source libraries, thus leaving organizations exposed to attacks. Veracode's analysis found that developers do not update third-party libraries after including them in software, 79 percent of the time. Although some developers respond quickly when alerted to vulnerable libraries, as 25 percent of bugs were addressed within 7 days, half of the known vulnerabilities were not fixed within 7 months following the release of patches. A survey of more than 1,700 developers revealed that a lack of contextual information is one factor preventing developers from taking immediate action to update vulnerable open source libraries.

Collaborative efforts continue to be made to improve the security of open source software. GitHub launched an initiative aimed at addressing the need across industries for better approaches to fixing security vulnerabilities in open source software. GitHub's Security Lab provides a common venue for open source project maintainers, developers, and organizations to work together on security. GitHub established a team of security researchers dedicated to working with peers from other organizations to find and report vulnerabilities contained by widely used open source projects. According to GitHub, 40 percent of new vulnerabilities in open source do not have a CVE identifier when they are announced, and therefore, are not included in any public database. In addition, 70 percent of critical vulnerabilities have been found to remain unpatched 30 days following their disclosure to developers. GitHub tries to fix this issue by helping maintainers and developers work directly together to develop patches for disclosed bugs and to ensure coordinated disclosures after the vulnerabilities have been patched. The Open Source Security Foundation (OpenSSF) has announced the Alpha-Omega Project, aimed at helping maintainers of the most critical open source projects identify and fix security vulnerabilities in their code, as well as improve their security posture. The project, backed by a $5 million investment from Microsoft and Google, has two separate initiatives, with the first, focusing on evaluating the security of a small number of highly critical open source projects and services deeply integrated into the Internet. These projects will get tailored assistance to help maintainers find security gaps and develop solutions to address those issues, including threat modeling, automated security testing, source code audits, and more. The other portion of the project will cover the broader field of open source projects, identifying security vulnerabilities through the use of cloud-scale analysis, the triaging of findings by security analysts, and the reporting of critical vulnerabilities to the right open source software project stakeholders.

The research and development of tools and strategies for protecting open source software continues. George Mason University (GMU) announced the development of a tool by a team of GMU cybersecurity researchers aimed at identifying security patches in updates for open source software. The Machine Learning (ML)-based defense system and toolkit they are developing will alert users to updates containing security patches that they need apply immediately. This research was prompted by the issue of vendors not explicitly letting users know if updates for open source software have important security patches, likely because they might not want to damage their reputation by letting users know their software has security problems. This information must be shared because delays in software updates could lead to a cyberattack on a system. Attackers can use code changes from a patch or the differences between two versions to execute attacks on unpatched software or old software versions. Cybersecurity experts call on the establishment of a decentralized group called the “Open Source Software Neighborhood Watch,” composed of US government employees, open source software developers, and industry software engineers to help protect and defend open source software components against attacks. This “neighborhood watch” would create a digital security infrastructure to help open source software developers and end users lead more secure digital lives by designing, building, and maintaining software systems that promote the engineering integrity of the platforms supporting modern digital society.

Open source software comes with numerous advantages, but organizations should consider the risks of implementation, and the Science of Security community should continue exploring solutions to bolstering the protection of such software against abuse and attacks by malicious actors.