As organizations seek to gain an edge over their competitors, they are finding power in open source, which has led, in the words of Brian Behlendorf, Executive Director of the Open Source Security Foundation, to an “explosion Cambrian” from open source. But with the increase in the use of open source code, there has been an increase in vulnerabilities and therefore a need to better secure open source software.
During his presentation “The Power of Open Source” at this month’s MIT Technology Review Future Compute conference held on the MIT campus in Cambridge, Massachusetts, and in an interview with ITPro todayBehlendorf highlighted the growth of open source and the security challenges that come with that growth.
According to Sonatype 2021 State of the Software Supply Chain Reporthe said:
- There are currently over 40 million open source software components available.
- There will be 420 million versions of open source software components available by 2026.
- Developers download 2 trillion open source packages per year.
The debate over open source versus proprietary code has largely died out, according to Behlendorf. “Very rarely do developers or companies make a binary choice between the two,” he said. Studies have shown that 90% of an average application stack is made up of pre-existing open source code that has been gathered and assembled, with around 10% of that being custom code.
“Defining your edge is really getting that 10% right and aggressively covering the rest of the 90% with whatever free stuff you can find pre-existing,” he said.
Vulnerabilities in code are on the rise
There is a problem, however, according to Behlendorf: there is a blind spot in the open source space – and the software space as a whole – in the face of increasing vulnerabilities in the underlying code.
“I wake up in the morning and turn on my laptop… and I get this notice: ‘Hey, there are updated packages. Want to update this before you start your day? “”, Did he declare. “And I still get that dopamine hit from clicking ‘yes,’ in part because I know that means that, for reasonable concern, I’m protected from whatever threats someone might want to throw at me today. “
Along the same lines, organizations must be ready to update, Behlendorf said. “How do we get companies to get to the point where they go on the same dopamine rush I do when I wake up in the morning and hit ‘update’ on my laptop?” He asked.
What’s troubling is that, according to Sonatype, 29% of popular open source projects contain known vulnerabilities in core code or their underlying dependencies, Behlendorf said. Some of these vulnerabilities are easy to exploit, such as the one recently discovered in the Log4j logging library. The Log4Shell exploit has become a poster child, he said, to the point that the US government has asked people involved in the open source industry, “How’s it going over there? How didn’t don’t you understand that?”
To help prevent such exploits, the Linux Foundation formed in 2020 the Open Source Security Foundation, directed by Behlendorf. OpenSSF, which has raised $11 million in annual memberships, is focused on improving the state of cybersecurity in the open source space supply chain, he said.
OpenSSF looks at the question: the way code is built in the software industry – and not just open source code but the supply chain that we have in software – are there any vulnerabilities that begin to affect this? We have to get smarter to close some of these exploitative opportunities, he said.
How Software Bill of Materials Can Help Secure Open Source
One of the tools to solve this problem is something the White House has elevated to prominence. In May 2021, Executive Order 14028 was released to improve cybersecurity. The order provides, among other things, that a software bill of materials (SBOM) be included with each software package delivered to executive branch agencies. Behlendorf likened an SBOM to the ingredient label on a bag of bread, because it lets organizations see exactly what they’re getting.
OpenSSF is exploring how to use SBOMs ubiquitously in software supply chains and integrate them into the main code as well as upstream. As developers write and release software, they will also provide SBOMs, including ingredients from previous software “so when a company has to go out and fix a problem, they at least know where they are vulnerable. , and this is the beginning of understanding how to remedy this work,” he said.
OpenSSF addresses a number of ways to secure open source software.
“It’s not about writing the one tool that automatically improves all of our cybersecurity,” Behlendorf said. OpenSSF is:
- To prioritize, identify and secure the most critical projects.
- Automating the tools developers use to see if their code is secure or to choose more mature platforms.
- Educate developers on how to think like an attacker and choose patterns that will lead to higher quality code.
- Funding fixes for the most critical projects. Sometimes someone has to step in, Behlendorf said, and say, “Here’s the forgotten package at the very bottom of the stack that’s actually ubiquitously used everywhere” and write the code and cover the last mile.
- Information stakeholders where the risk relates to their entire code portfolio.
- Pushing the standards for traceability code signing throughout the supply chain.
“Open source is everywhere, and you have to figure out how to use it,” Behlendorf concluded. “But it’s really about figuring out, how do you define your edge as being that top layer and get really good at taking advantage of what’s ahead of us?”