While app development is faster and easier, security is still a concern:
In a report last year, silicon design automation outfit Synopsys found that 97 percent of codebases in 2021 contained open source, and that in four of 17 industries studied – computer hardware and chips, cybersecurity, energy and clean tech, and the Internet of Things (IoT) – open source software (OSS) was in 100 percent of audited codebases. The other verticals had open source in at least 93 percent of theirs. It can help drive efficiency, cost savings, and developer productivity.
"Open source really is everywhere," Fred Bals, senior technical writer at Synopsys, wrote in a blog post about the report.
That said, the increasing use of open source packages in application development also creates a path for threat groups that want to use the software supply chain as a backdoor to myriad targets that depend on it.
The broad use of OSS packaging in development means that often enterprises don't know exactly what's in their software. Having a lot of different hands involved increases complexity, and it's hard to know what's going on in the software supply chain. A report last year from VMware found that concerns about OSS included having to rely on a community to patch vulnerabilities, and the security risks that come with that.
Varun Badhwar, co-founder and CEO of Endor Labs – a startup working to secure OSS in app development – called it "the backbone of our critical infrastructure." But he added that developers and executives are often surprised by how much of their applications' code comes from OSS.
Badhwar noted that 95 percent of all vulnerabilities are found in "transitive dependencies" – open source code packages that are indirectly pulled into projects rather than selected by developers.
[...] Developers pull the source components together and add business logic, Fox told The Register. This way, open source becomes the foundation of the software. What's changed in recent years is the general awareness of it – not only among well-meaning developers that are creating the software from these disparate parts.
"The attackers have figured this out as well," he said. "A big notable change over the last five or so years has been the rise of intentional malware attacks on the supply chain."
That came to the fore with the SolarWinds breach in 2020, in which miscreants linked to Russia broke into the firm's software system and slipped in malicious code. Customers who unknowingly downloaded and installed the code during the update process were then compromised. Similar attacks followed – including Kaseya and, most notably, Log4j.
The Java-based logging tool is an example of the massive consolidation of risk that comes with the broad use of popular components in software, Fox argued.
"It's a simple component way down [in the software] and it was so popular you can basically stipulate it exists in every Java application – and you would be right 99.99 percent of the time," he said. "As an attacker ... you're going to focus on those types of things. If you can figure out how to exploit it, it makes it possible to 'spray and pray' across the internet – as opposed to in the '90s, when you had to sit down and figure out how to break each bespoke web application because they all had custom code."
Enterprises have "effectively outsourced 90 percent of your development to people you don't know and can't trust. When I put it that way, it sounds scary, but that's what's been happening for ten years. We're just now grappling with the implications of it."
Log4j also highlighted another issue within the software supply chain and woke many up to how dependent they are on OSS. Even so, an estimated 29 percent of downloads of Log4j are still of the vulnerable versions.
According to analysis by Sonatype, the majority of the time that a company uses a vulnerable version of any component, a fixed version of the component is available – but they're not using it. That points to a need for more education, according to Fox. "96 percent of the problem is people keep taking the tainted food off the shelf instead of taking a cleaned-up one."
There is another rising threat related to OSS: the injection of malware into package repositories like GitHub, Python Package Index (PyPI), and NPM. Cybercriminals are creating malicious versions of popular code via dependency confusion and other techniques to trick developers into putting the code into their software.
They may use an underscore instead of a dash in their code, in hopes of confusing developers into grabbing the wrong component.
"The challenge with this is that the attack happens as soon as the developer downloads that component and these downloads happen by the tools," Fox said. "It's not like they're literally going to a browser and downloading it like the old days, but they're putting it into their tool and it happens behind the scenes and it might execute this malware.
"The sophistication of the attacks is low and these malware components don't even often pretend to be a legitimate component. They don't compile. They're not going to run the test. All they do is deliver the payload. It's like a smash-and-grab."
(Score: 2) by krishnoid on Thursday February 23, @06:43PM
Perl had a tainting mode [docstore.mik.ua] that would mark data as un/safe as it moved through your Perl code (please reply with jokes below). Not the best/only way to do it, but it's a good example of how software toolchains, languages, and compile/runtime options can support defense against malicious efforts at various levels.