Why Trust and Evidence Are the New Frontiers of Open-Source Risk

Written by

From the Linux operating system to Apache web servers, open source is the foundation on which much of the internet’s infrastructure is built. But, increasingly, little-known open-source software (OSS) components are finding their way into all sorts of commercial and free-to-use applications.

As threat actors get smarter and the integration of OSS increases across the security stack, a keener focus must be placed on managing cyber risk in open-source environments. This will require greater due diligence of communities and codebases and a more concerted effort by industry and governments to enhance baseline security standards.      

How Cyber-Threats Are Evolving

Attackers have always had an advantage over network defenders. But we risk turning that into an unstoppable lead in the cyber arms race through the indiscriminate use of open-source technologies. Exploitation of OSS is becoming an increasingly acute problem as DevOps teams tap open-source repositories to accelerate time to market. 

According to one estimate, there were over three trillion downloads from the top four OSS ecosystems in 2022. Yet threat actors are getting savvier. Experts uncovered 88,000 malicious packages uploaded to the big four repositories in 2022 alone, a 742% increase on 2019 figures. That’s not to mention the OSS vulnerabilities many packages contain. Separate research found that the average application development project contains 49 vulnerabilities spanning 80 direct dependencies. 

Openness and trust in OSS development set the expectation that many eyes are looking at the code, which nominally makes it more secure. But this openness also gives threat actors an advantage of hiding in plain sight inside an open-source community. We must open our eyes to these risks without limiting the huge business benefits OSS can generate. It’s incredible to consider that only 49% of global organizations today claim an open-source security policy.

A Trust Issue

We’re all using more OSS in our businesses. And the quality of that code isn’t always as good as it should be. That’s because open source covers a vast range of communities and projects. Because it’s fun and intellectually stimulating for smart coders, more and more are jumping the relatively low barrier to entry and starting their own projects. When it comes to open-source projects, there is no one-size-fits-all model, which creates complexity and nuance.

Sometimes this nuance is lost when organizations incorporate OSS into their product roadmaps without proper due diligence into its origins. What type of license is offered? Is there a risk of contamination? How well-staffed and supported is the project? These are questions that often go unanswered. Yet they are critically important. The vulnerable Apache Log4j utility was found to have been used by over half of global organizations back in December 2021. Yet, in reality, it was built and maintained by a relatively small team.

The wide range of open-source project maturity means development teams must take a page from the security handbook and adopt a zero-trust approach to open source: never trust, always verify. That means conducting due diligence on open-source projects and the community that surrounds them. It also means ensuring the right detection and response tools are in place to provide evidence of malicious activity before attackers can do any real damage.

Cross-Industry Collaboration

In contrast with the broad adoption in general development, the use of OSS by cybersecurity teams faces different challenges. Fortunately, code security and trustworthiness are critical for both the projects and practitioners, so the code is typically well designed and tested. Instead, the challenge for these efforts is integration across projects and communities. Unlike the history of security mandates (often virtually obsolete by the time they are enacted), we need to see governments stepping up by incentivizing open-source communities to collaborate in ways they haven’t so far – integrating in a way that the cybercrime underground has been doing for years. 

This is where agencies like the National Cyber Security Centre (NCSC) in the UK and Cybersecurity and Infrastructure Security Agency (CISA) in the US can add real value. The NCSC is actively trying to provide a forum for great open-source collaboration and cooperation. Building linkages across key cybersecurity OSS communities can improve defensive toolsets and enable a more common training platform for cybersecurity training programs in schools, enterprises and governments alike.

An Enabling Attitude

Success requires first recognizing our limitations in the general OSS case and, specifically, the use of OSS in cybersecurity. As with the general shift from ‘heroic’ to ‘servant’ leadership over the past two decades, technological innovation is moving so fast that leaders need help from the team closest to the detail to make the best decisions. It means humility and continual learning are now the watchwords for CISOs – essentially extending the zero trust concept to our own assessment of our depth and expertise. Leading first with what we don’t know will stand organizations in good stead as they come to terms with managing open-source risk. 

What’s hot on Infosecurity Magazine?