The wave of supply chain attacks that emerged last year hit some of the largest commercial software companies on the planet, causing widespread ripple effects for tens of thousands of organizations. But beyond the huge incidents that made headlines such as SolarWinds, there is a low hum of constant, smaller attacks on open source software projects that can cause serious problems not only for maintainers and users. of a given project, but also to the maintainers and downstream users who depend on it.
The most recent example of this issue is the attack that compromised the Codecov Code Coverage Tool bash download script. This incident affected not only the companies that relied on the tool itself, but also many downstream open source projects that use it. The attacker had access to the script for more than two months and had the ability to steal sensitive data from customer environments.
“The actor was granted access due to an error in Codecov’s Docker imaging process that allowed the actor to extract the credentials required to modify our Bash Uploader script,” Codecov CEO Jerrod Engelberg said in a statement.
There are many other quieter incidents that remain under the radar, including simple typosquatting attacks that attempt to impersonate popular packages and more complex attempts to insert backdoors into projects.
âThere are two issues with the security of open source software. First, it’s open source, and second, it’s software. All software has bugs, whether it’s written by me or by you or by someone you’ve never met, âsaid Dan Lorenc, software engineer at Google, during a conference at the The company’s Open Source Day of Security event Thursday.
âSometimes just because it’s free doesn’t mean it’s free to use. It can cause more problems than it’s worth. Anyone who has spent time on the internet knows that not everyone is nice, there are people who try to insert bugs. Very few people look at the source code. The source code is transparent, but the way people use it is opaque.
The dependency tree in any supply chain can be complex, even for the simplest software, and finding out what those dependencies are can be difficult, if not impossible. This lack of transparency prevents organizations from understanding the security risks that open source software can pose, an issue Google is trying to address with a new tool called Open Source Insights. The site displays a visualization of the dependencies for a given package, lists all security advisories that affect it, other packages that depend on that project, and allows users to compare different versions of the package. This is an experimental project, but Open Source Insights could provide companies with a better understanding of the risks they can take.
âThe software packages that a large project depends on may be updated too frequently to keep a clear picture of what’s going on. And these packages, in turn, can modify their dependencies to provide new functionality or fix bugs. As a result, security issues and other issues may arise unexpectedly in your project, and the scale of the problem can make all of this difficult to manage. Even a small OSS project can depend on hundreds of packages, âGoogle said.
Examining the dependencies of open source projects is just one step towards understanding the impact they can have on the security and improving the security of the open source supply chain. Businesses need to understand exactly which open source applications they are using and what the potential risks are for each one.
âKnow what you are using. It sounds obvious, but it’s not always that easy. Browse the provider tree and check the dependencies. You can trust these dependencies, but if you don’t trust the whole transitive tree of their dependencies, it can get out of hand, âLorenc said.
He also encouraged open source software users to contribute upstream whenever possible by helping with patches or other fixes.
âSecurity is not a priority for open source developers or the average developer in general. It’s an afterthought. We have to make it easier, âsaid Lorenc. âWe need to create new tools and cryptographies and collect more data to secure the open source supply chain. “