There is a fascinating perspective on who is responsible for open source vulnerabilities from Brain Fox and David Blevins after the Equifax security breach in 2017 - which since has been called one of the 5 dumbest data breaches in history. They brought to light the ethics and ethos of what it means to pull from an open source repository: it’s much like taking food from a Food Bank of public intellectual property to build your own application.
Let’s think about what that means inside of your own organisation: In modern applications, 90% of application components are open source. This means that our products are feasts built from these intellectual Food Banks: a metaphor made only more apt when you understand that all software ages like milk, not wine. That means within a given organisation, on average 11% of those open source components have known security vulnerabilities that can be easily exploited in cyberattacks.
This ‘Food Bank’ is exactly this model of open software sharing that has led to the explosion of development in the last decade. It’s also what makes it such an incredible time to to be part of human history: As modern developers, we really are at the cutting edge forming a global economy of intellectual property that’s never been seen before. It’s also why cybersecurity is rapidly changing, and we as a global community need to coordinate our efforts to keep open source communities secure.
Balancing the scales of acceleration and security is something that dozens of books and thousands of security SoPs have been designed to handle: cybersecurity at the very end of the supply chain. While that’s worked in the past for more monolithic and centralised architectures, that approach now feels a lot like bringing duct-tape to stop a water leak, when what you need to be worried about is the failure of the dam it’s sourced from.
Solving this problem starts by rethinking security of the open source ecosystems that we all know, love, and depend on.
The landscape of cybersecurity itself is rapidly changing. Traditional, or “Legacy Attacks” used to target code downstream, but the next generation of attacks is in Typo-squatting, Malicious Code Injection and Tool Tampering. Instead of waiting for a security vulnerability to be discovered the attackers now simply manufacture one themselves or prey on low attention spans. The next generation of cybersecurity poses risks from the biggest corporations to the smallest hobbyist project, because we all rely on the same open source ecosystems to do our work.
In 2020 Sonatype documented 1,200 across open source ecosystems, but in 2021 they have identified over 12,000 in just npm alone. It is absolutely evident that open source contribution is the place where innovation will be in the next decade, both in real human progress and in the malware designed to exploit it.
There is an imperative for those who benefit from the open source to invest as much in the supply chain as the code that’s produced. It’s not just about doing the right thing here. It’s the fact that “not doing the right thing leads to massive, outsized losses” for industry and open source communities alike. That’s the reality of the modern development landscape: in a world of continuous integration and delivery, we have to start thinking about continuous security in open source.
There’s work to be done here to ensure we build and secure open source software supply chain that works for everyone. Sonatype has been hosting the Maven Central Repository for Apache for a decade, and this has enabled the creation of a security taxonomy that offers the ability to detect, report and resolve vulnerability and malware attacks before they make their way into our applications, and to provide actionable recommendations when new vulnerabilities in distributions are surfaced. We must build this scalable security for other ecosystems.
We can only reduce developer toil around cybersecurity by evolving these best practices to match to the size of the problem at hand, and that means tackling security in partnership with open source organisations and building solutions that really scale. If that peaks your interest, then I’d encourage you to see some of the great work we’ve already started to build that future and stay up to date with the work we are doing with the Open Source Index Integrations to build a better open source supply chain that works for everyone.