DEVOPSdigest

Open-source software has injected fun and excitement into the lives of IT professionals and technology hobbyists alike. Collaborative by nature, the software can be written by anyone and distributed under licenses that grant others the right to use, change and share the code. Open-source software is foundational for most technology we use today and can result in very valuable solutions that are extensively peer reviewed and maintained.

It is also proliferating fast. Synopsys' 2024 Open Source Security and Risk Analysis (OSSRA) report found that of 1,000 code bases audited, 96% contained open-source code and 77% of all source code and files originated from open-source. Most forecasters expect open-source software growth of close to 20% annually over the next decade, with the size of the market now generally estimated between $30 billion and $40 billion.

Unsurprisingly, open-source software's lineage is complex. Whereas commercial software is typically designed, built and supported by one corporate entity, open-source code could be written by a developer, a well-resourced open-sourced community or a teenage whiz kid.

Libraries containing all of this open-source code, procedures and scripts are extensive. They can contain libraries within libraries, each with its own family tree. A single open-source project may have thousands of lines of code from hundreds of authors which can make line-by-line code analysis impractical and may result in vulnerabilities slipping through the cracks.

These challenges are further exacerbated by the fact that many libraries are stored on public repositories such as GitHub, which may be compromised by bad actors injecting malicious code into a component. Vulnerabilities can also be accidentally introduced by developers. Synopsys' OSSRA report found that 74% of the audited code bases had high-risk vulnerabilities.

And don't forget patching, updates and security notifications that are standard practices from commercial suppliers but likely lacking (or far slower) in the world of open-source software. In addition, supply chain cyber risk is turbocharged. The software generally lacks formal records containing the details and supply-chain relationships of the components, or so-called Software Bill of Materials (SBOM).

Add it all up and these vulnerabilities, along with the rapid growth of open-source software, create a vast and rapidly expanding cyberattack environment.

Examples of this risk are everywhere. In April, the discovery of malicious code in the XZ Utils(link is external) showed attackers had spent years trying to gain remote administrator access to Linux systems. They were thwarted by a software engineer who stumbled across the code by accident, but a successful attack would have been unprecedented on an open-source supply chain in terms of scale.

Another major security scare came in November 2021 with a critical vulnerability discovered in the Log4j logging tool(link is external), which is used by millions of computers running online services. Known as the Log4Shell, it was considered a zero-day vulnerability that had most likely been exploited before its discovery.

Consumers of open-source software need to make cybersecurity a priority

Incidents like these are raising much needed awareness about open-source cyber risk. Unfortunately, project developers are still creating solutions without considering security, quality control and testing history. That means consumers of open-source software need to make cybersecurity a priority.

Where do we go from here?

Companies need to implement concrete standards on what can be downloaded and what vetting will occur before the software is incorporated. These standards should incorporate the software's lineage, previous known vulnerabilities and whether those have been addressed. Companies must be clear about how the software is supported — if at all. It may sound obvious, but they also need to ensure they are using the latest version.

Next, careful attention should be paid to any potential license violations. Open-source components often do not have a license at all or have one that is incompatible with the intended use.

Supply chain vulnerabilities should also be assessed by requesting evidence of suppliers' security controls and secure development practices. Open-source software should be included in routine vulnerability and security scanning and patch management.

Companies who utilize open-source software should also consider engaging a cyber insurance provider. In addition to providing responsive insurance coverage, many carriers offer proactive services to help companies assess cyber risks and monitor IT environments and even send threat alerts (as was the case with Log4J).

Companies which fail to conduct proper cyber due diligence when deploying open-source software or neglect to incorporate it into their scanning are exposing themselves and third parties to malicious activity and the potential for liability issues.

Democratic and nimble, open-source software delivers innovation at speed by vastly reducing development and testing times. But its usage needs to be balanced by compliance and security.