How to overcome the security challenges posed by open-source code


GUEST NOTE: The cyber threat landscape is constantly changing as attackers use new techniques to gain access to their targets.

Attacks against software supply chains are ones that have seen significant growth in recent times. According to industry reportsin the past 12 months, there has been a 430% year-over-year increase in attacks targeting open source components in supply chains around the world.

This trend is very concerning as many organizations have become dependent on cloud native software that uses open source components. Cybercriminals know this and therefore move “upstream” to attack the source of the software, and move “left” to target the developers who create the software.

open-source stealth

The technique of infiltrating open source libraries can be a much more covert approach than attacking an organization directly. The latter is tricky and likely to yield slower and fewer results.

If a cybercriminal successfully mounts an attack on the software supply chain, they are likely to steal both machine identities and sensitive data. Unfortunately, while the implications for a victim can be devastating, there remains a lack of security standards around open source software.

Security experts know that every piece of software in an open source library must be authenticated with a codesign certificate. However, the identities of the codesigning machines are not well managed and make it impossible to verify each one at developer speed.

The bottom line is that the responsibility for successfully protecting software development is in the hands of the developers. It is essential to enable engineers to easily and quickly protect the interior of software pipelines and ensure the security of developed products.

The detection challenge

In fact, detecting a software supply chain attack can be very difficult for a security team. Indeed, there is usually no reason to suspect that a previously reliable supply chain has been altered.

Because companies tend to focus on speed, developers speed up their processes by using features that are implemented in software libraries or modules previously written by someone else. These projects rely on contributions from volunteer developers and usually incorporate elements from other open source projects.

This approach can make the code subject to accidental abuse, as known vulnerabilities can be mistakenly incorporated. Alternatively, attackers can deliberately add bits of malicious code that can be nearly impossible to spot.

By targeting these code repositories, attackers significantly increase the attack surface. Since there is no review and approval process for open source package repositories, hence they can slowly become free malware hosting services.

The rise of “typo-squatting”

One of the most common attack techniques is known as “typo-squatting”. This involves mimicking similar but slightly different names of commonly used packages. The hope is that developers and administrators accidentally type in the intended name and install the malicious package instead.

For example, python-dateutil and jeIlyfish may be listed with an uppercase ‘I’ instead of an ‘L’. These infested packages behave similarly to the originals, except that they also attempt to steal machine identities and other sensitive information from the developer or user of the software.

Protect users from attacks

Many developers are still unaware of the risks posed by these open source repositories. Yet, with more security rules and standardization around the use of coded design, these security issues can be avoided.

It is essential that developers incorporate a verification process into their workflows, as well as scans for known vulnerabilities. This will help ensure the code is clean before using it.

However, the entire burden should not fall on already overburdened software developers, as it is unreasonable to expect them to check every line of code. Open source repository managers should also implement review and approval processes for all submitted code to prevent their service from becoming a conduit for malware distribution.

The need for standards

If the challenges of open source security and code design are not quickly resolved, attacks using these techniques will continue to increase in frequency and power.

All organizations that use open source code should ensure that their developers are equipped with automation tools and effective processes that allow them to continuously check code for vulnerabilities.

Failure to do so leaves a wide open door through which cybercriminals can mount an effective and potentially costly attack.


iTWire TV offers unique value to the technology industry by offering a range of video interviews, news, views and reviews, and also offers vendors the ability to promote your business and marketing messages.

We work with you to develop the messaging and conduct the product interview or review in a safe and collaborative manner. Unlike other YouTube Tech channels, we create a story around your post and post it to the ITWire homepage, along with a link to your post.

Additionally, your interview post message can be displayed in up to 7 different post views on our site to drive traffic and readers to your video content and downloads. This can be an important lead generation opportunity for your business.

We also provide 3 videos in one recording/session if you need it so that you have a series of videos to promote to your clients. Your sales team can add your emails to the sales materials and footer of their sales and marketing emails.

Discover the latest tech news, viewpoints, interviews, reviews, product promotions and events. Plus funny videos from our readers and customers.



Comments are closed.