Google, Microsoft, IBM, GitHub, Red Hat, and Others Create the Open Source Security Foundation
According to the July 2020 McAfee COVID-19 Threat Report, malware rose 27% over the previous four quarters. Unfortunately, the rise is across various industry categories. New macOS malware rose 51%, new mobile malware increased 71% and new Internet of Things (IoT) malware rose almost 58%.
As McAffe’s Pravat Lall highlights, the COVID-19 pandemic has only made the rise of malware even worse. As employees suddenly had to start working from home, many were not well versed on good security practices, creating soft targets for malware creators.
In addition, open source software has increasingly become a major target for hackers and bad actors. This has led GitHub, Google, IBM, JPMC, Microsoft, NCC Group, OWASP Foundation and Red Hat to create the Open Source Security Foundation (OpenSSF), with the support of The Linux Foundation.
Why the sudden threat to open source software? How does it impact the industry in general? What role will the OpenSSF play in combatting the threat?
Open Source as a Target
For years, open source software was widely considered to be safer and more secure than closed source alternatives. This was largely because anyone could look at the code, identify vulnerabilities, and help fix them.
Unfortunately, as open source software has become more widespread, it has created a major attack vector for bad actors. In announcing GitHub’s commitment to the OpenSSF, Jamie Cool made the following observation:
”Software runs the world and open source components form the essential building blocks for all software projects. Today, 99% of codebases contain open source components, and on average, each of those repositories has over 200 dependencies. However, while open source software fuels agility and innovation, it also means that projects inherit technical debt and risk from these components.”
Another major factor has been the rise in supply chain attacks. A supply chain attack involves injecting malware into code before it goes into production, ensuring everyone downstream is impacted. Because of the decentralized nature of the open source, it can be particularly vulnerable to supply chain attacks.
For example, the Linux Foundation’s Core Infrastructure Initiative discovered that 7 of the top 10 most-used open source packages were being maintained on an individuals developer’s account. Since the level of, and commitment to, security varies from one developer to another, there is no way to know if appropriate measures are being taken. Worse yet, if one of these accounts was compromised and malicious code injected, it would be extremely difficult, if not impossible, to reliably determine that before the damage occurred.
Mark Russinovich, Microsoft Azure’s Chief Technology Officer highlighted these issues as a motivating concern in the founding of the OpenSSF:
”Open-source software is core to nearly every company’s technology strategy and securing it is an essential part of securing the supply chain for all, including our own. With the ubiquity of open source software, attackers are currently exploiting vulnerabilities across a wide range of critical services and infrastructure, including utilities, medical equipment, transportation, government systems, traditional software, cloud services, hardware, and IoT.
”Open-source software is inherently community-driven and as such, there is no central authority responsible for quality and maintenance. Because source code can be copied and cloned, versioning and dependencies are particularly complex. Open-source software is also vulnerable to attacks against the very nature of the community, such as attackers becoming maintainers of projects and introducing malware. Given the complexity and communal nature of open source software, building better security must also be a community-driven process.”
How the Open SSF Will Help
The primary way the OpenSSF will help address open source security is by being a central place for companies across industries to consolidate their efforts. Presently, there are multiple security initiatives aimed at improving open-source software. These are now being brought under the umbrella of the OpenSSF.
As a result, the OpenSSF will provide a central place to disclose discovered vulnerabilities, establish security best practices, develop security tooling, identify trusted developers, and secure critical components developers and industries rely on. Most importantly, the OpenSSF will serve as a central place where security researchers and professionals can come together to collectively work toward improving open source security.
Jim Zemlin, Executive Director at The Linux Foundation, summed it up best:
”We believe open source is a public good and across every industry, we have a responsibility to come together to improve and support the security of open-source software we all depend on. Ensuring open source security is one of the most important things we can do and it requires all of us around the world to assist in the effort. The OpenSSF will provide that forum for a truly collaborative, cross-industry effort.”
Related Articles
Back
According to the July 2020 McAfee COVID-19 Threat Report, malware rose 27% over the previous four quarters. Unfortunately, the rise is across various industry categories. New macOS malware rose 51%, new mobile malware increased 71% and new Internet of Things (IoT) malware rose almost 58%.
As McAffe’s Pravat Lall highlights, the COVID-19 pandemic has only made the rise of malware even worse. As employees suddenly had to start working from home, many were not well versed on good security practices, creating soft targets for malware creators.
In addition, open source software has increasingly become a major target for hackers and bad actors. This has led GitHub, Google, IBM, JPMC, Microsoft, NCC Group, OWASP Foundation and Red Hat to create the Open Source Security Foundation (OpenSSF), with the support of The Linux Foundation.
Why the sudden threat to open source software? How does it impact the industry in general? What role will the OpenSSF play in combatting the threat?
Open Source as a Target
For years, open source software was widely considered to be safer and more secure than closed source alternatives. This was largely because anyone could look at the code, identify vulnerabilities, and help fix them.
Unfortunately, as open source software has become more widespread, it has created a major attack vector for bad actors. In announcing GitHub’s commitment to the OpenSSF, Jamie Cool made the following observation:
”Software runs the world and open source components form the essential building blocks for all software projects. Today, 99% of codebases contain open source components, and on average, each of those repositories has over 200 dependencies. However, while open source software fuels agility and innovation, it also means that projects inherit technical debt and risk from these components.”
Another major factor has been the rise in supply chain attacks. A supply chain attack involves injecting malware into code before it goes into production, ensuring everyone downstream is impacted. Because of the decentralized nature of the open source, it can be particularly vulnerable to supply chain attacks.
For example, the Linux Foundation’s Core Infrastructure Initiative discovered that 7 of the top 10 most-used open source packages were being maintained on an individuals developer’s account. Since the level of, and commitment to, security varies from one developer to another, there is no way to know if appropriate measures are being taken. Worse yet, if one of these accounts was compromised and malicious code injected, it would be extremely difficult, if not impossible, to reliably determine that before the damage occurred.
Mark Russinovich, Microsoft Azure’s Chief Technology Officer highlighted these issues as a motivating concern in the founding of the OpenSSF:
”Open-source software is core to nearly every company’s technology strategy and securing it is an essential part of securing the supply chain for all, including our own. With the ubiquity of open source software, attackers are currently exploiting vulnerabilities across a wide range of critical services and infrastructure, including utilities, medical equipment, transportation, government systems, traditional software, cloud services, hardware, and IoT.
”Open-source software is inherently community-driven and as such, there is no central authority responsible for quality and maintenance. Because source code can be copied and cloned, versioning and dependencies are particularly complex. Open-source software is also vulnerable to attacks against the very nature of the community, such as attackers becoming maintainers of projects and introducing malware. Given the complexity and communal nature of open source software, building better security must also be a community-driven process.”
How the Open SSF Will Help
The primary way the OpenSSF will help address open source security is by being a central place for companies across industries to consolidate their efforts. Presently, there are multiple security initiatives aimed at improving open-source software. These are now being brought under the umbrella of the OpenSSF.
As a result, the OpenSSF will provide a central place to disclose discovered vulnerabilities, establish security best practices, develop security tooling, identify trusted developers, and secure critical components developers and industries rely on. Most importantly, the OpenSSF will serve as a central place where security researchers and professionals can come together to collectively work toward improving open source security.
Jim Zemlin, Executive Director at The Linux Foundation, summed it up best:
”We believe open source is a public good and across every industry, we have a responsibility to come together to improve and support the security of open-source software we all depend on. Ensuring open source security is one of the most important things we can do and it requires all of us around the world to assist in the effort. The OpenSSF will provide that forum for a truly collaborative, cross-industry effort.”
Related Articles