Securing the Future of Open Source in the Software Supply Chain
Concern about open-source vulnerabilities within software supply chains is gaining more traction than ever. Open source represents the area of “least confidence” for cybersecurity professionals when securing the supply chain. And in a post-Log4Shell world, it makes sense.
After all, Log4Shell demonstrated the devastating effects of an open-source cyberattack on supply chains.
With open-source software powering the vast majority of modern digital infrastructure—an average application uses 528 different open-source components—it leaves every organization vulnerable if they don’t make a concerted effort to secure open-source software.
It’s no wonder 72 percent of cybersecurity professionals want more government input to increase the cyber protection of open-source software, especially considering the urgent lack of skilled employees and resources on hand to quickly and efficiently address open-source vulnerabilities.
Open Source’s Greatest Strength and Challenge
The collaborative approach of open-source software is highly effective for driving innovation, but its decentralized model disincentivizes organizations to maintain its security. There are so many beneficiaries of open source (i.e., any organization that builds products or services from software), that not enough organizations see their responsibility in the upkeep of these projects.
Some organizations don’t even realize they’re benefitting from open source because they don’t have a clear view of the components they use within their supply chain. Worryingly, a report recently found that the highest-risk open-source vulnerabilities discovered during 2020 had already existed in code for more than two years. That’s a problem.
Organizations can only reduce their security risk if they maintain a clear view of their entire attack surface, including the software components they do not directly own. And, an organization’s sphere of control over open-source components is minimal unless it makes an active effort to identify and engage with open-source projects.
The challenges intensify when considering the entire software supply chain. Following a spate of high-profile attacks against the software supply chain in 2022, it’s more critical than ever for organizations to develop more effective measures and strategies for securing their supply chain.
As we all know, it only takes one weakness in a vendor’s security or an organization’s infrastructure to cause the whole house of cards to collapse—and open-source compounds this risk because it removes more control over supply chain security from an organization.
We All Benefit, So We All Must Contribute
Historically, there’s a misguided assumption that any time an open-source project releases new code, thousands of expert eyes will pore over it to identify potential vulnerabilities. Unfortunately, this isn’t the case—particularly if the project is niche or doesn’t possess the financial backing of a large organization.
That’s why the beneficiaries of open source must first change their mindset and embrace ownership of its security. There must be a greater onus on organizations to take a more active role in the stewardship of the projects they depend on, rather than sitting passively back and benefiting from others’ efforts.
The key is encouraging all organizations to allocate dedicated financial resources and time from security and developer teams to review the open-source code they use to identify and fix security issues.
Incentivize Security Across the Vulnerability Lifecycle
Once an organization is committed to supporting the open-source community, where does it start? When it comes to open-source libraries, of course, there’s a significant amount of code to look through. Therefore, dedicated attention across the entire vulnerability lifecycle is essential.
One of the best ways to foster collaboration and strengthen the open-source community is through bounty programs, which encourage ethical hackers to identify, report, and address potential vulnerabilities in open-source code. Many forward-thinking companies are now splitting bug bounty rewards between hackers and open-source software maintainers to reduce the burden on project maintainers and their teams.
Typically, open-source software maintainers volunteer their time for free, but this new “split bounty” approach ensures payment for every stakeholder contributing to vulnerability management. Pooling funding from multiple organizations that share similar risks also reduces the burden of open-source security on each individual organization and helps build the collective security of each contributor.
Another way to reduce the burden on maintainers and security teams is a collective effort to streamline open-source code libraries. Right now, large open-source libraries carry a huge dependency tree—creating much more opportunity for vulnerabilities to be present. The consolidation towards a smaller number of broader, more general-purpose open-source libraries could help simplify the submission flow of potential vulnerabilities.
We Can’t Let Open Source Become a Neglected Target
The supply chain has always represented a major attractant for cybercriminals, but the security community must avoid allowing the supply chain to turn into a neglected target—the benefits of an open-source supply chain are just too plentiful to overlook.
Growth in this area is unlikely to slow any time soon, so it’s imperative the community continues to come together, adopts a collective responsibility, and incentivizes security across the entire vulnerability lifecycle—allowing open source to continue flourishing.
Kayla Underkoffler is a senior security technologist at HackerOne.
© 2023 Kayla Underkoffler
