View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
February 20, 2020updated 21 Feb 2020 10:56am

7 of the World’s Top 10 Open Source Packages Come with This Warning

"Changes to code under the control of these individual developer accounts are significantly easier to make, and to make without detection"

By CBR Staff Writer

Of the world’s top 10 most-used open source packages, seven are hosted on individual developer accounts, the Linux Foundation’s Core Infrastructure Initiative has warned, saying this could pose a security risk to code at the heart of the global economy.

The finding came as the CII delivered the first major census of the free and open source software (FOSS) components that are most widely used in production applications.

The top 10 most-used open source software packages in production applications (with JavaScript components dominating) and the non-JavaScript top 10. Credit: CII.

The dominance of individual developer’s GitHub and other code repository accounts was highlighted in the report as potentially worrying for security and stability.

Such reliance on individual accounts comes despite the Foundation and its partners having been able to identify the company affiliation of 75 percent of the top committers to the projects listed.

Read this: Vulnerabilities in the Core: Key Lessons from a Major Open Source Census

The Linux Foundation noted: “The consequences of such heavy reliance upon individual developer accounts must not be discounted.

“For legal, bureaucratic, and security reasons, individual developer accounts have fewer protections associated with them than organizational accounts in a majority of cases.

“While these individual accounts can employ measures like multi-factor authentication (MFA), they may not always do so and individual computing environments may be more vulnerable to attack. These accounts do not have the same granularity of permissioning and other publishing controls that organizational accounts do.”

Content from our partners
Rethinking cloud: challenging assumptions, learning lessons
DTX Manchester welcomes leading tech talent from across the region and beyond
The hidden complexities of deploying AI in your business

It added: “This means that changes to code under the control of these individual developer accounts are significantly easier to make, and to make without detection.”

By running a query on GitHub data, the Foundation was able to determine the top three committers for each of the FOSS projects and identify company affiliations for the majority—over 75 percent—of the top committers.

(Needless to say, this does not mean that contributions were made as a representative of that company; many developers also contribute in their own time to projects with which they may or may not also have a corporate affiliation).

Read this: Meet the Apache Software Foundation’s Top 5 Code Committers

The report comes amid growing concerns in some quarters about the “back-dooring” of open source software code bases, following several recent such attacks.

(Most famously, a malicious actor gained publishing rights to the event-stream package of of a popular JavaScript library and then wrote a backdoor into the package. In July 2019, a Ruby developer’s repository was also taken over and code back-doored.)

The census also points to the risk of developers “deleting” their developer accounts. This happened in 2016 with a package called “left-pad,” with consequences that stakeholders described as “breaking” the Internet for several hours: “Similarly, in 2019, a developer who disagreed with a business decision undertaken by Chef Software removed their code from the Chef repository with similar downstream impacts.”

How does your business mitigate the risk of security flaws in open source components? We’d be keen to hear from you

Read this: Open Source Security: Time to Look Gift Code in the Mouth?

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.