DEVOPSdigest

Using open source software has many benefits for organizations. It fosters transparency and innovation, provides flexibility and customization, cuts cost on development and enables collaboration among other developers.

However, organizations could open themselves up to risks if the open source software isn't developed securely. According to a recent report, nearly three-quarters of all commercial codebases contain open source software with high-risk vulnerabilities. These vulnerabilities could lead to holes in the software supply chain for bad actors to exploit, risking malicious attacks and data breaches within organizations.

Vulnerabilities have become pervasive across the software supply chain, as have the malicious actors seeking to exploit them, prompting organizations to bolster security throughout the entire software development life cycle (SDLC) to protect their assets. This emphasis on security is particularly critical for those organizations involved in producing and distributing software that utilizes open source components.

Securely developing open source software is crucial for fostering community trust and ensuring safe, global accessibility while also promoting rapid innovation and maintaining legal compliance. Properly executed, it helps organizations see real measurable change in the health of software supply chains.

A Call for Open Source Security Standardization

A high-profile example of how a vulnerability in open source software can result in catastrophic impact is the Log4J incident. Dubbed "Log4Shell," one of the most widespread security vulnerabilities in recent years, Log4J's popular open source logging tool left millions of organizations susceptible to hackers infiltrating and taking total control of their systems. Organizations that were spared direct attacks scrambled to remediate their systems in late 2021, during a typically quiet period.

The vulnerability was even exploited by state-sponsored hackers to target US critical infrastructure and it was used by top ransomware groups LockBit and ALPHV/BlackCat in attacks. The effects were so devastating that years later, companies are dealing with the fallout, all because one open source link in the software supply chain was not secure.

However, identifying the risks within a software supply chain can be challenging. The best way to protect assets and ensure the integrity of the applications and development pipelines is to develop software with security in mind from the start. Failing to do so could have devastating effects.

There is a strong need for standardized security guidelines to enable open source software developers to prioritize security from the outset. Although the advantages of doing so are clear, building universally agreed-upon frameworks and implementing them at scale is a massive undertaking — one that has yet to be fulfilled.

In lieu of standardization, developers can adopt best practices for better software security. From risk assessment to secure coding practices, these principles can foster a proactive approach to mitigating vulnerabilities and enhancing overall software resilience, and act as a roadmap for developers to embed security into every stage of the software development life cycle.

Top 10 Secure Software Development Guiding Principles

Adopting robust guiding principles for secure software development can enhance both the security and transparency of the software supply chain. The following guidelines developed by the Open Source Security Foundation (OpenSSF) End Users Working Group, encourage software organizations to take responsibility for their consumption of open source software by focusing on activities with the greatest impact and providing a roadmap to implement supply chain security best practices.

1. Employ development practices that are in conformance with modern, industry-accepted secure development methods.

2. Learn and apply secure software design principles (such as least privilege).

3.Learn the most common kinds of vulnerabilities and take steps to make them unlikely or limit their impact.

4. Check for and address known and potential critical vulnerabilities prior to releasing software, then monitor for vulnerabilities subsequently throughout the supported life of the product.

5. Harden and secure your software development infrastructure against compromise or infiltration against the same principles, practices, and expectations set for the software developed on and built from them.

6. Prioritize the sourcing of software from suppliers and developers who also pledge to develop in conformance with the secure software development guiding principles, and from projects that publicly report security health metrics and adopt controls to prevent tampering of software packages, and that actively address known/discovered malicious software.

7. Provide software supply chain understandability to consumers of our software consistent with evolving industry standards, practices, and tooling.

8. Manage responsible vulnerability disclosure programs that are inclusive of upstream dependencies and have publicly documented vulnerability reporting and remediation policies.

9. Publish security advisories consistent with evolving industry best practices.

10. Actively collaborate with and participate in industry and regulatory initiatives related to securing the software supply chain, and evangelize adoption of the secure software development guiding principles among your industry peers.

As the benefits of using open source software are clear, developers need to find ways to create and use it safely to protect the whole software supply chain ecosystem. Developing with security in mind from inception and following the top 10 secure software development guiding principles will help increase transparency and security. Following these steps will put you on the path to ensuring you won't be impacted by the next Log4J — or worse — in the future.