The role that open-source plays across society cannot be overstated, with around 90% of companies thought to be using this type of software, including governments and critical industries.
However, this software is vulnerable to being exploited by malicious actors because the code is publicly available. Additionally, open-source developers often have limited cybersecurity knowledge.
The Log4j vulnerability, discovered at the end of 2021, highlighted the risks that open-source software poses to organizations. The vulnerability is still impacting organizations today.
The Log4j incident put the issue of open-source security firmly onto the radar of governments, many of whom are now considering legislative options in this area.
A key battleground in enhancing open-source security are development platforms – building a culture of security-by-design into the ecosystem. The largest of these platforms is GitHub, which hosts over 100 million developers globally.
Infosecurity spoke to GitHub’s Deputy Chief Security Officer (CSO), Jacob DePriest, to learn more about the company’s approach to strengthening security of code developed on its platform via the utilization of AI tools.
DePriest also discussed how to build standards-based approaches to enhance open-source security across the ecosystem.
The Role of AI in Securing Open-Source
AI is already having a major impact in secure software development, according to DePriest.
“It’s just the beginning of what we’re going to see from a security perspective as well,” he added.
DePriest cited GitHub’s owner, Microsoft, and the development of its Copilot large language model (LLM) tool as a having a particularly significant impact, including for developers on the GitHub platform.
“We have security filtering in the place for the for code that Copilot suggests. It’s very early days, but we’re already seeing some of those benefits in play now and that’s going to get better over time,” he commented.
Another role Copilot can play in secure code creation is enabling developers to write more context into code by liaising with the tool’s chat function.
In 2023, GitHub observed that 35% of newly written code was suggested by Copilot. Now, in files where Copilot is enabled, up to 60% of the code is being written by Copilot in popular coding languages like Java.
GitHub is also working on bringing AI into every stage of its developer workflow, to support security-by-design in open-source code.
“Open source is the backbone to everything we do, and what most companies do to a certain degree"
This includes the Autofix code scanning tool, which DePriest said is leading to “massive improvements in the usability and close rates on some of those vulnerabilities and code.”
A number of studies have shown that threat actors heavily target platforms like GitHub to exploit open-source code. For example, a report by ReversingLabs published in January 2024 found a 1300% increase in malicious packages found on open source package managers between 2020 and the end of 2023.
DePriest acknowledged that GitHub is “definitely not a stranger to being a target.”
He said the platform’s security team uses machine learning (ML) and automated pipelines to detect abuse on its platforms, such as discovering patterns of actors misusing the service.
“The more we can automate those detections and rely on the automatic threat detection, the more we’re going to be successful,” noted DePriest.
Distributing Responsibility for Open-Source Security
Many open-source software developers are not security experts, and nor is it necessarily reasonable to expect them to be, said DePriest. However, there is a growing “base awareness” of security issues within the community.
This is something GitHub is keen to leverage by making security tools and best practices as accessible and easy to use as possible for developers.
This includes helping enable secrets scanning, code scanning and dependabot in open-source repositories.
However, DePriest said open-source security can only be improved by achieving buy-in from all stakeholders including governments, corporations and academia as well as developers.
“Open source is the backbone to everything we do, and what most companies do to a certain degree – almost every company in the world is using open-source software to some extent or another,” he outlined.
A standards-based approach is essential in this landscape to establish who and where to place accountability for security in this area, added DePriest.
The Log4j incident was a huge wake-up call in this regard. DePriest noted that victim organizations were asking questions like why the developer didn’t have service-level agreement (SLA) or support staff.
“These are questions we would ask of an organization – but it was just a handful of volunteers doing this on the weekend,” he explained.
In DePriest’s view, commercial entities selling software systems should be accountable for all the code they are using and obliged to work with the open-source ecosystem in this regard.
Governments are recognizing the need to engage with the open-source community in developing security standards. For example, the EU significantly revised relevant provisions in its Cyber Resilience Act (CRA) after engaging open-source stakeholders following the publication of its initial draft.
DePriest noted that GitHub is now represented on the Common Vulnerabilities and Exposures (CVE) board, enabling the firm to translate CVEs that are coming in into actionable outcomes on its platform.
“Based on what we’re seeing with policymakers, we’re optimistic that this balance is going to land the right way,” he commented.