Suggestions for improving the security of open source software were unveiled at a summit attended by some of the biggest names in technology. The open source summit, convened by the Linux Foundation and the Open Source Software Security Foundation with the support of the US government, follows a stream of supply chain cyberattacks made possible by open source flaws.
Held one year from of President Joe Biden executive authority an order to improve the nation’s cybersecurity, yesterday’s summit was attended by more than 90 leaders from 37 companies, as well as heads of government from six government agencies, including the National Security Council (NSC) and the Agency for Infrastructure and Security for Cyber Security (CISA). Companies including Amazon, Ericsson, Google, Intel, Microsoft and VMWare are part of the initiative and have pledged a collective $ 30 million to fund the measures under a ten-point security plan.
The plan was unveiled as part of a summit that includes promoting better developer training, introducing digital signatures and auditing the most popular 10,000 open source libraries. Open source experts believe that some elements of the plan are promising, but others may be too prescriptive to benefit the open source community.
Why does open source security need to be improved?
The ten-point plan proposals were developed by The Linux Foundation and the Open Source Software Security Foundation to standardize open source community security practices. Open source repositories are widely used by developers, and research by open source security provider Sonatype found that an average of 85% of every application consists of open source.
Deficiencies in this code can cause serious problems if used by hackers. The most famous recent example is the Log4Shell vulnerability, which came to light before Christmas last year. The flaw in the commonly used java library has been used by hackers to carry out supply chain attacks against customers of companies whose systems have been compromised, including some of the world’s largest software vendors.
Globally, the number of software supply chain attacks has increased recently, rising by 650% year-on-year last year, according to a study by specialist security provider Sonatype.
Content from our partners
Open source software protection: how can it be improved?
Potential solutions set out in the ten-point plan include providing free security coding courses to software developers who want to contribute to the open source community, deploying digital signatures to verify developers, and removing malicious participants and checks. third-party security of the most commonly used open source components.
Security experts who spoke with Technical monitor they say the plan should put more responsibility on end users. “The problem is that all of these rules are the developers who make this software and put more strain on it,” said Peter Honest, CISO of the Openmar security testing platform. “I don’t see anything in this for consumers.” Honest says that users of open source code should have an action plan if [vulnerability] be announced or if malicious code is announced. ”
Brian Fox, CTO at Sonatype, agrees. “Software is made for people, and in addition, it will be wrong,” he said. “So if you don’t take ownership of the things you consume and you don’t have procedures in place to react [to security incidents] it doesn’t matter what happens [with the software] – It will never be perfect. “
Is more open source software security training realistic?
Some of the ideas set out in the plan could repel open source software developers, as imposing education standards on developers before they can contribute to repositories could deter people from volunteering, Honest said.
“Some of these open source people are paid contributors,” he explains. “But a lot of them are just developers doing it as a hobby. Are we going to turn them off now and say, “You can’t, you can’t do this anymore”? I think that would be a mistake. ”
However, their free education will eventually have the desired effect, Fox said. “If you’re a developer and don’t have that minimum standard of training, it can be harder for you to find a job,” he says. “In some industries, that’s the only incentive. Does that force people? Not quite, but it certainly strongly encourages them, and gives them the opportunity and empowerment to do so. “
Another contentious point is the audit of the top 10,000 libraries, which could expand to hundreds of thousands or millions of pieces of code once sub-libraries are included, Honest says.
If this code is secure, he added, other libraries will instead be targeted by hackers. “When you start saying I’m going to head for the top 10,000, it’s like saying I’m going to lock the doors and windows in front of my house,” Honest said. “You’re not watching the back door. We’re just moving the problem.”
Overall, Chestna believes the plan is on the right track, but may be too prescriptive for the open source landscape. “I would say about half of them are right and need to be prioritized,” he said. “The other half is talking about mandates and forcing people to do things that they honestly may not want to do.”
However, this could be the first step in the journey to providing open source software, says Fox of Sonatype. “It’s a marathon, not a sprint,” he added. “So some of these things will take a long time before they are effectively deployed in the ecosystem.”
Read more: Mailchimp hacks to launch “exclusive” supply chain attack