How to overcome the security challenges posed by open-source code

One that has seen significant recent growth has been attacks against software supply chains. According to industry reports, during the past 12 months, there has been a 430 per cent year-on-year increase in attacks targeting open-source components in supply chains around the world.

This trend is very concerning as many organisations have become reliant on cloud-native software that makes use of open-source components. Cyber criminals know this and so are moving “upstream” to attack the source of the software and shifting “left” to target the developers building the software.

Open-source infiltration

The technique of infiltrating open-source libraries can be a much more covert approach than directly attacking an organisation. The latter is tricky and likely to yield slower and fewer results.

If a cyber criminal is successful in mounting a software supply chain attack, they are likely to be able to steal both machine identities and sensitive data. Unfortunately, while the implications for a victim can be devastating, there remains a lack of security standards around open-source software.

Security experts know that each piece of software in an open-source library should be authenticated with a codesigning certificate. However, code signing machine identities are not well managed and make it unfeasible to verify each one at developer speed.

The bottom line is that the responsibility for successfully protecting software development is in the hands of developers. Making it easy and fast for engineers to protect inside the software pipelines and assure the security of developed products is vital.

The detection challenge

VIEW ALL

Actually, detecting a software supply-chain attack can be very challenging for a security team. This is because there is usually no reason to suspect a previously trusted supply chain has been altered.

Because businesses tend to be focused on speed, developers accelerate their processes by using functionalities that are implemented in software libraries or modules written previously by someone else. These projects rely on contributions from volunteer developers, and typically incorporate elements from other open-source projects.

This approach can make the code prone to abuse accidentally, as known vulnerabilities can be incorporated by mistake. Alternatively, attackers can purposefully add malicious pieces of code which can be almost impossible to spot.

By targeting these code repositories, attackers greatly increase the attack surface. Since there is no review and approval process for the open-source package repositories, they can therefore slowly become free malware-hosting services.

The rise of ‘typosquatting’

One of the most common attack techniques is known as “typosquatting”. This involves mimicking names that are similar but slightly different from commonly used packages. The hope is that developers and administrators will accidentally mistype the intended name and install the malicious package instead.

For example, the python-dateutil and jeIlyfish may be listed with an upper-case “I” instead of an “L”. These infested packages behave the same as the originals, except these also attempt to steal machine identities and other sensitive information from the developer or user of the software.

Protecting users from attacks

Many developers are still not aware of the risks that these open-source repositories pose. Yet, with more security rules and standardisation around the use of code signing, these security issues can be prevented.

It is critical that developers build a verification process into their workflows, along with scans for known vulnerabilities. This will help to ensure code is clean before it is put to use.

However, the entire burden must not fall onto already stretched software developers, as it’s unreasonable to expect them to check every line of code. The managers of open-source repositories must also implement review and approval processes for all submitted code to prevent their service from becoming a malware distribution channel.

The need for standards

If the challenges around open-source security and code signing are not swiftly addressed, attacks utilising these techniques will continue to increase in frequency and potency.

All organisations making use of open-source code need to ensure their developers are equipped with automation tools and effective processes that enable them to check code for vulnerabilities on an ongoing basis.

Any failure to do this leaves a large door open through which cyber criminals can mount an effective and potentially costly attack.

Brooke Crothers is an editor, machine identity management security at Venafi.