Open Source Developers Are Security’s New Front Line - Brian Fox

https://appseccalifornia.org/

As vital as open source is to building software in today’s world, it’s a mistake to think of it as a silver bullet. The ability to change the world with it is clear - but so is the significant room for error, when not properly managed.

A shifting battlefield of attacks based on OSS consumption has emerged. Five years ago, large and small enterprises alike witnessed the first prominent Apache Struts vulnerability. In this case, Apache responsibly and publicly disclosed the vulnerability at the same time they offered a new version to fix the vulnerability. Despite Apache doing their best to alert the public and prevent attacks from happening — many organizations were either not listening, or did not act in a timely fashion — and, therefore, exploits in the wild were widespread. Simply stated, hackers profit handsomely when companies are asleep at the wheel and fail to react in a timely fashion to public vulnerability disclosures.

Since that initial Struts vulnerability in 2013, the community has witnessed Shellshock, Heartbleed, Commons Collection and others, including the 2017 attack on Equifax, all of which followed the same pattern of widespread exploit post-disclosure.

Shift forward to today - and hackers are now creating their own opportunities to attack.

This new form of attack on our software supply chains, where OSS project credentials are compromised and malicious code is intentionally injected into open source libraries, allows hackers to poison the well. The vulnerable code is then downloaded repeatedly by millions of software developers who unwittingly pollute their applications to the direct benefit of bad actors. In the past 24 months, no less than 17 real-world examples of this attack pattern have been documented.

It’s become clear that we are in the middle of a systematic attack on the social trust and infrastructure used to distribute open source. In just a few years, we’ve gone from attacks on pre-existing vulnerabilities occurring months after a disclosure down to two days - and now, we are at the point where attackers are directly hijacking publisher credentials and distributing malicious components.

Open source developers are the front line of the new battle. Attackers have recognized the power of open source and are seeking to use that against the industry. We must not let them ruin the reputation of the things we’ve built. Or worse, the entire open source ecosystem.

Key takeaways:
Understand the details and the events leading to today’s “all-out” attack on the OSS industry - leading to more vulnerabilities in production applications
How the open source industry needs to change, given today’s new normal
How developers can step into the role of security, to protect themselves, and the millions of people depending on them
What enterprises can do to educate their developers on this growing trend of malicious attacks on open source
Why this is trend is only going to continue to grow - leaving more people more and more vulnerable if action isn’t taken


Brian Fox
SVP & Chief Technology Officer, Sonatype
Brian Fox is the co-founder and CTO, Brian Fox is a member of the Apache Software Foundation and former Chair of the Apache Maven project. As a direct contributor to the Maven ecosystem, including the maven-dependency-plugin and maven-enforcer-plugin, he has over 20 years of experience.