Proposals to improve the security of open source software have been unveiled at a summit attended by some of the biggest names in tech. The Open Source Security summit, convened by The Linux Foundation and Open Source Software Security Foundation with the support of the US government, follows a spate of supply chain cyberattacks which have been made possible by flaws in open source code.
Held on the one year anniversary of President Joe Biden’s executive order on improving the Nation’s Cybersecurity, yesterday’s summit was attended by over 90 executives from 37 companies as well as government leaders from six government agencies including the National Security Council (NSC) and the Cybersecurity Infrastructure and Security Agency (CISA). Companies including Amazon, Ericsson, Google, Intel, Microsoft, and VMWare are part of the initiative, and have pledged a collective $30m to fund the measures in a ten-point plan to boost security.
The plan was unveiled as part of the summit, which includes promoting better training of developers, introducing digital signatures and auditing the most popular 10,000 open source code libraries. Open source experts believe some elements of the plan are promising, but others may prove too prescriptive to benefit the open source community.
Why does open source security need improving?
The proposals in the ten-point plan have been designed by The Linux Foundation and the Open Source Software Security Foundation to standardise security practices within the open source community. Open source repositories are widely used by developers, and research from open source security vendor Sonatype found that, on average, 85% of every application is comprised of open source code.
Flaws in this code can cause serious problems if exploited by hackers. The most high-profile recent example is the Log4Shell vulnerability, which came to light before Christmas last year. The flaw in a commonly used java library was used by hackers to perpetrate supply chain attacks on customers of businesses whose systems were compromised, including some of the world’s biggest software vendors.
Globally, the number of software supply chain attacks has rocketed lately, with a 650% year-on-year increase last year, according to research by specialist security provider Sonatype.
Open source software security: how can it be improved?
Potential solutions laid out in the ten-point plan include delivering free security coding courses to software developers who want to contribute to the open source community, implementing digital signatures in order to verify the developers and weed out malicious actors, and third party security checks of the most commonly used open source components.
Security experts who spoke to Tech Monitor say the plan should put more responsibility on end users. “The problem is that all of these rules are the developers that make this software and putting more of a burden on them,” argues Peter Chestna, CISO of open source security testing platform Checkmarx. “I see nothing in this about the consumer." Chestna says there should be some onus on the users of open-source code to "have an action plan if a [vulnerability] gets announced or if a malicious code is announced."
Brian Fox, CTO at Sonatype, agrees. “Software is created for humans and by extension, it's going to be fallible," he says. "So if you don't take ownership of the things you're consuming, and don't have procedures in place to be able to respond [to security incidents] it doesn't matter what happens [with the software] - it will never be perfect."
Is greater training for open source software security realistic?
Some of the ideas laid out in the plan may push software developers away from open source, as imposing standards of education on developers before they can contribute to the repositories may deter people from volunteering, Chestna argues.
“Some of these people in open source are paid contributors," he explains. "But many are just developers doing it as a hobby. Are we now going to shut them out and say, 'you can't you can't do this anymore'? I think that would be a mistake.”
However, educating them for free will eventually have the desired effect, believes Fox. “If you're a developer and you don't have this minimum standard of training, it might be harder for you to find the job," he says. "In some industries, that alone is incentive. Is that forcing people? Not quite, but certainly heavily encouraging them, and enabling and empowering them to do it.”
Another controversial point is auditing of the top 10,000 libraries, which could extend to hundreds of thousands or millions of pieces of code once sub-libraries are included, Chestna says.
If that code has been secured, he adds, other libraries will become targets for hackers instead. "When you start to say I'm going to target the top 10,000, this is like saying I'm going to lock the doors and windows on the front side of my house," Chestna says. "You're not watching the back door. We're just moving the problem."
Overall, Chestna believes the plan is on the right track but may be too prescriptive for the open source landscape. "I would say that about half of it is is right headed and should be prioritised," he says. "The other half is is talking about mandates and forcing people to do things that they frankly may not want to do."
However, it may prove to be a first step on the journey of securing open source software, Sonatype's Fox says. "This is a marathon, not a sprint," he adds. "So some of these things will take a long time before they are effectively rolled out across the ecosystem."