The internet runs on open-source software (OSS). It’s probably fair to say that open source is everywhere. The Linux kernel, one of the building blocks of open source, is literally embedded in everything from most super computers, cloud computing, billions of phones, and most operating systems. “Open Source” software, as its name suggests, is available to anyone and it poses a particular challenge in tracking down what is happening at all times. This, in turn, leads to the potential for unique — and serious — cybersecurity vulnerabilities.
While proprietary code (not freely available on the internet) isn’t inherently more secure than open-source code (which is freely available), open-source poses some familiar cybersecurity challenges. Why? Because, as the name suggests, it’s open, leaving potential windows for hackers or other bad actors to infiltrate. In fact some reports suggest up to 70%-90% of any “software stack” consists of third party code. What can go wrong? Well, you need only look as far as the SolarWinds saga to know that once bad actors implant malware in what appears to be legitimate software and updates occur, that software can result in mass dissemination of malware. Vulnerabilities range widely, but two include failing to manage library dependencies (by keeping dependencies up to date, developers can take advantage of bug fixes, security patches, new features, and reduce security vulnerabilities) and bad-faith actors (people that intentionally break into systems, or contributors intentionally changing the software to be exploitable).
So, who’s concerned? The military, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Google, DARPA, to name a few. According to a report in a 2022 issue of MIT Technology Review, “Much of modern civilization now depends on an ever-expanding corpus of open source code because it saves money, attracts talent, and makes a lot of work easier.”
But while the open-source movement has spawned an ecosystem we all depend on, experts say we do not fully understand it. The MIT Technology Review report goes on to say, “there are countless software projects, millions of lines of code, numerous mailing lists and forums, and an ocean of contributors whose identities and motivation are often obscure, making it hard to hold them accountable.”
None of this seems to have slowed the rush to open source. A recent report from the Linux Foundation and The Laboratory for Innovation Science at Harvard estimated that OSS comprises 80-90% of any given software package; this number is likely to continue to grow. Red Hat’s “The State of Enterprise Open Source” report found that “79% of respondents expect that over the next two years, their organization will increase use of enterprise open source software for emerging technologies.” In the past two decades companies have used open source code with increasing frequency, and companies are increasingly contributing to open-source projects that they use, even collaborating with competitors.
Clear guidelines do exist for best practices related to any kind of secure software, open or otherwise, and include: code reviews, scanning for vulnerabilities, visibility into the system, knowing the attack surface, having zero-trust architecture, and red teaming. These are just some of the ways that code, packages, and systems can be evaluated for security. Ultimately, security requires an in-depth knowledge of the system and how the various parts interact with one another.
The key advantage of open-source software is that the source code is available for inspection by anyone. According to Netsec.news, “that means anyone can check the code to find out if best practices have been followed and can see for themselves if the coding is sloppy. Importantly, with open source, it is possible to see exactly what the software does. If the source code cannot be checked [such as proprietary software], there is no alternative other than to trust that developers have been diligent, and the company has not incorporated code that performs functions that are hidden from the user.” Having a large and active community of users is a vulnerability, but it also means that with the volume of people looking for security gaps potential issues are quickly identified.
Knarik Petrosyan, writing for Security Boulevard, reports that businesses use third-party open source software because it is more cost-effective and flexible than paid-for development solutions. In fact, most organizations use some form of community-borne software, even without knowing it. In can increase the speed of development and decrease the costs. Petrosyan goes on to say, “Created voluntarily, OSS has code available for public inspection, modification, and enhancement. It’s used for various processes and tools, often to augment in-house proprietary code.” Corporations from the smallest to the largest have used and do use OSS.
An important question was posed in a 2021 MIT Technology Review article: “If the internet runs on free open source software, then who is paid to fix it?” Volunteer-run projects like Log4J keep the internet running. The result is unsustainable burnout, and a national security risk when they go wrong. The Log4J project is an open-source tool used widely to record activity inside various types of software. It helps run applications from iCloud to Twitter. The vulnerability of Log4J (see CYRIN’s January 2022 newsletter), although it has been a crucial piece of internet structure, is extremely easy to exploit, made more complicated by the fact that it was founded as a volunteer project. Early attacks came from kids who pasted malicious code in Minecraft servers. Hackers, including some linked to China and Iran, are now seeking to exploit the vulnerability in any machine they can find that’s running the flawed code. Jen Easterly, director of the US Cybersecurity and Infrastructure Security Agency (CISA), has said this is “one of the most serious flaws” she’s ever seen. Developer Fillipp Valsorda, at Google, echoed these concerns, stating, “Open-source runs the internet and, by extension, the economy…it is extremely common even for core infrastructure projects to have a small team of maintainers, or even a single maintainer that is not paid to work on that project.”
As reported in the July 2022 MIT Technology Review, DARPA, the US military’s research arm, is working to understand the collision of code and community that makes open-source projects work. The idea behind the project is to find out more about how the system functions, the better to predict potential risks. To this end, DARPA’s “SocialCyber” program is an 18-month-long, multimillion-dollar project that will combine sociology with recent technological advances in artificial intelligence to map, understand, and protect these massive open-source communities and the code they create. According to the Review, “It’s different from most previous research because it combines automated analysis of both the code and the social dimensions of open-source software.”
Speaking in that same July 2022 MIT Technology Review report, Sergey Bratus, the DARPA program manager behind the project, said “The open-source ecosystem is one of the grandest enterprises in human history.” Open-source software is inextricably linked to critical infrastructure, and Bratus went on to say that open source underpins “The systems that run our industry, power grids, shipping, transportation.”
This is a special concern for the military, because critical code could be written by our adversaries and the stakes of possible security breaches are incredibly high. To try and get a handle on this problem, DARPA, through the SocialCyber Program, has contracted with multiple teams of what it calls “performers,” including small, boutique cybersecurity research shops with deep technical chops. One such performer is New York–based Margin Research, which has put together a team of well-respected researchers for the task. “There is a desperate need to treat open-source communities and projects with a higher level of care and respect,” said Sophia d’Antoine, the firm’s founder.
Margin's work maps out who is working on what specific parts of open-source projects. For example, Huawei is currently the biggest contributor to the Linux kernel. Another contributor works for Positive Technologies, a Russian cybersecurity firm that -- like Huawei -- has been sanctioned by the US government. In many cases open source that we all depend on is literally run by one or two volunteers. This makes a lot of existing infrastructure very fragile because it depends on open source, and the basis of that software could be run by someone who literally quits one day which happened in 2018 when a developer behind a popular open-source project called UA-Parser-JS quit, unwilling to work for free anymore. The software was later hijacked by malicious actors who inserted critical vulnerabilities into the software.
We’ve created this illusion of trust around open-source software and its code As the military, governments and others are now just realizing, we assume it (open source) will always be there because it’s always been there. However, as D'Antoine from Margin Research went on to say “the government is only just realizing that our critical infrastructure is running code that could be literally being written by sanctioned entities. Right now.”
As is the case with all issues surrounding cybersecurity, the risks and benefits of open-source software will no doubt continue to evolve.
We hope you’re enjoying your summer and finding time to spend with family, friends and doing those things you don’t have time for the rest of the year. So, while you’re making plans, don’t forget to include CYRIN in those plans. Now is a good time to get a quick demonstration, some access to the system and a real understanding of what CYRIN training can do for you.
Our tools and our virtual environment are perfect for a mobile, remote workforce. People can train at their pace, with all the benefits of remote work, remote training, and flexibility. Cyber is a team effort; to see what our team can do for you take a look at our course catalog, or better yet, contact us for further information and your personalized demonstration of CYRIN. Take a test drive and see for yourself!