Getty Images/iStockphoto
FOSS security concerns increase amid widespread adoption
A new report from the Linux Foundation, OpenSSF and Harvard University calls for transparency and standardization to address growing security risks in open source software.
New research has shown that despite widespread use of free and open source software libraries in enterprise environments, security continues to be a significant problem.
The Linux Foundation, the Open Source Security Foundation (OpenSSF) and Harvard University published a new report Wednesday that examined security challenges related to the growing use of free and open source software (FOSS) libraries. The report, titled "Census III of Free and Open Source Software," includes data from more than 12 million observations of FOSS libraries used in production applications at more than 10,000 companies, including public and private sectors.
Census III marks the third report in a series of FOSS investigations from the three organizations. The report was authored by Frank Nagle, assistant professor at Harvard Business School; Kate Powell, program manager at the Laboratory for Innovation Science at Harvard; Richie Zitomer, predoctoral fellow at Harvard Business School; and David A. Wheeler, director of open source supply chain security at the Linux Foundation and staff member at OpenSSF.
The report detailed a plethora of security challenges related to developer accounts, legacy technology and an overall lack of support for FOSS packages. The authors stated that the report aims to highlight the most widely used FOSS packages at the application library level and the challenges they face.
The authors called for changes to be made if security is to keep pace with the increasing use of FOSS libraries at the enterprise level.
"Given the distributed nature of FOSS, only through data sharing, coordination, and investment will the value of this critical component of the digital economy be preserved for generations to come," the authors wrote in the report.
The Census III report highlighted many security concerns related to individual developer accounts. The authors observed that some accounts did not have MFA enabled, "leaving individual computing environments more vulnerable to attack." Additionally, the report found that in a majority of cases the developer accounts lacked important permission and publishing controls compared with organizational accounts, which makes it easier for attackers to change the code once the accounts are compromised.
"These potential risks are not hypothetical; developer account takeovers have begun occurring with increasing frequency, both in forges such as GitHub and in repositories such as the npm repository and PyPI," the report said.
The report also warned that "backdooring" is one popular method attackers use to compromise accounts. As the name suggests, the technique allows attackers to create a backdoor to organizations by inserting malicious code into packages that they can access once the host package is installed.
For example, earlier this year Checkmarx observed a threat campaign where attackers took over influential GitHub accounts and made commits to popular GitHub organizations, including Top.gg. Additionally, in August a backdoor was discovered in the open source liblzma package for XZ, a popular compression library used in many Linux distributions. Microsoft developer Andres Freund traced the backdoor to an authorized XZ maintainer known as Jia Tan, who intentionally added the malicious code to the library.
The authors noted that cases like the XZ backdoor, in which developers intentionally subvert the security of software, are an "even more serious problem" despite being rare. "Thus, in the contexts of both security and general risk management, it is critical that developer accounts be understood and strongly protected," the report said.
Growing supply chain concerns
The report noted that continued usage of legacy technology also poses a problem for FOSS. When comparing Census II and Census III, the authors found that many software packages remained highly ranked, despite being replaced by newer versions.
"This suggests that a generally accepted reality exists within the FOSS development space: open source has not escaped the problem of legacy technology. In this specific case, the "legacy tech" is a single software package whose replacement has not yet overtaken its predecessor in terms of sheer usage. Software should arguably be easier to replace compared to hardware," the report said.
During the research for Census III, the authors also found that the most widely used FOSS is developed by only a handful of contributors. The finding revealed a lack of support for FOSS, which makes it difficult to address new and emerging security issues. The authors stressed that it's a common misconception that open source packages are managed by "thousands or millions of developers."
"Reviewing 47 of the top non-npm projects from our version-agnostic direct list, for commits in the year 2023, it was found that 17% of projects had one developer accounting for more than 80% of commits authored," the report said. "Further, 40% of projects had only one or two developers accounting for more than 80% of commits authored, 64% of projects had four or less developers accounting for more than 80% of commits authored, and 81% of projects had ten or less developers accounting for more than 80% of commits authored."
The authors noted additional trends between Census II and Census III, including an ongoing transition from the use of Python 2 to Python 3, the increased use of components from Rust package repositories and an ongoing need to develop a standardized naming schema for software components. The report emphasized that until such a system is set up, organizations won't be able to communicate effectively on a large scale, which can contribute to software supply chain attacks.
"The bottom line -- revealed by the Census III project, the NTIA process, NIST's vulnerability management struggles, and other similar projects -- is that there is a critical need for a standardized software component naming schema that is in widespread use. Until one is widely used, strategies for software security, transparency, and more will have limited effect," the report said.
The Census III report follows several notable supply chain attacks this year in which attackers compromised developer platforms and repositories. For example, in October, LottieFiles disclosed a supply chain attack attack where threat actors injected malicious code into new versions of Lottie Player on NPM. Prior to that, Checkmarx warned of a supply chain attack where threat actors manipulated GitHub's search functionality.
"Given the increasing frequency and sophistication of cybersecurity incidents in which the software supply chain plays a part, there is precious little time to waste," the report said.
Wheeler expanded on the problems FOSS faces to TechTarget Editorial. In addition to challenges with securing developer accounts and legacy technology, Wheeler said another common problem is the failure of users to plan for changes to FOSS. Software will change over time, he said, and there are well-known ways to address those changes, such as using version control, an automated build and automated tools.
"One of the common problems is the failure to have a good automated test suite. When there's no good test suite, developers are afraid to update dependencies, in part because they know that sometimes dependencies create unnecessary backward incompatibilities," Wheeler said in an email. "This lack of automated testing soon paralyzes improvement, causing the software to stay stuck in the past."
To address the problem, Wheeler said it's important to have a strong CI/CD pipeline that runs automated tests and various tools to look for security vulnerabilities. He also said the government can play an important role in driving standardization and encouraging secure software developer practices. He applauded CISA's progress in promoting secure software, but said additional efforts are needed.
"For instance, the government could offer resources for open source projects to prioritize memory safety, fund developer training in languages like Rust, and establish clear standards and best practices for secure software development that can be adopted across industries," Wheeler said. "One problem specifically highlighted in the report is the need for standardized identifiers for software. The industry is starting to coalesce around standards like package URLs (purls) to use as a standardized identifier. If governments would ensure that all CVEs included purls, at least when identifying OSS, that would enable automated mapping from vulnerability reports to the software with those vulnerabilities."
Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.
