Proposals to improve the security of open source software have been unveiled at a summit attended by some of the biggest names in technology. The Open Source Security Summit, organized by the Linux Foundation and the Open Source Software Security Foundation with support from the US government, follows a series of supply chain cyberattacks made possible by flaws in open source code.
Organized on the occasion of the first anniversary of of President Joe Biden executive Decree on the improvement of the Cybersecurity of the Nation, yesterday’s summit brought together more than 90 executives from 37 companies as well as heads of government from six government agencies, including the National Security Council (NSC) and the Cybersecurity Infrastructure and Security Agency (CISA). Companies such as Amazon, Ericsson, Google, Intel, Microsoft and VMWare are part of the initiative and have pledged $30 million to fund the measures in a ten-point plan to tighten security.
The plan was unveiled as part of the summit, which includes promoting better developer training, introducing digital signatures and auditing the top 10,000 open source code libraries. Open source experts think some elements of the plan are promising, but others may prove too prescriptive to benefit the open source community.
Why does open source security need to be improved?
The ten-point plan proposals were designed by the Linux Foundation and the Open Source Software Security Foundation to standardize security practices within the open source community. Open-source repositories are widely used by developers, and research from open-source security vendor Sonatype found that, on average, 85% of every application is made up of open-source code.
Flaws in this code can cause serious problems if exploited by hackers. The most publicized recent example is the Log4Shell vulnerability, which was revealed before Christmas last year. The flaw in a commonly used Java library has been used by hackers to carry out supply chain attacks against enterprise customers whose systems have been compromised, including some of the world’s largest software companies.
Globally, the number of software supply chain attacks has skyrocketed lately, with a 650% year-on-year increase last year, according to research from specialist security vendor Sonatype.
Content from our partners
Open source software security: how to improve it?
Potential solutions outlined in the ten-point plan include providing free security coding courses to software developers who want to contribute to the open source community, implementing digital signatures to verify developers and weed out malicious actors, and third-party security checks of the most commonly used open source components.
Security experts who spoke with Technical monitor say the plan should empower end users more. “The problem is that all of these rules are the developers creating this software and putting an additional burden on them,” says Peter Chestna, CISO of open-source security testing platform Checkmarx. “I don’t see anything in there about the consumer.” Chestna says it should be the responsibility of users of open source code “to have a plan of action if a [vulnerability] is announced or if malicious code is announced.”
Brian Fox, CTO at Sonatype, agrees. “Software is created for humans, and by extension it will be fallible,” he says. “So if you don’t take ownership of the things you consume and you don’t have procedures in place to be able to respond [to security incidents] no matter what happens [with the software] – it will never be perfect.”
Is more open source software security training realistic?
Some of the ideas in the plan may drive software developers away from open source, because imposing education standards on developers before they can contribute to repositories can deter people from volunteering, Chestna argues.
“Some of these people in open source are paid contributors,” he explains. “But a lot of them are just developers doing it as a hobby. Are we now going to kick them out and say, ‘you can’t, you can’t do this anymore’? I think that would be a mistake.”
However, educating them for free will eventually have the desired effect, Fox believes. “If you’re a developer and you don’t have that minimum level of education, you might find it more difficult to find a job,” he says. “In some industries, that alone is an incentive. Does it force people? Not quite, but certainly by strongly encouraging them, allowing them and empowering them to do so.
Another controversial point is auditing the top 10,000 libraries, which could expand to hundreds of thousands or millions of pieces of code once sub-libraries are included, Chestna says.
If that code has been secured, he adds, other libraries will instead become targets for hackers. “When you start saying I’m going to target the top 10,000, that’s like saying I’m going to lock the doors and windows on the front of my house,” Chestna says. “You’re not watching the back door. We’re just shifting the problem.”
Overall, Chestna thinks the plan is on the right track, but may be too prescriptive for the open source landscape. “I would say about half of them are directed to the right and should be prioritized,” he says. “The other half is talking about mandates and forcing people to do things they frankly don’t want to do.”
However, it may prove to be a first step on the road to securing open source software, says Sonatype’s Fox. “It’s a marathon, not a sprint,” he adds. “So some of these things will take a long time to actually roll out to the ecosystem.”