Software development is a highly competitive industry with companies striving to satisfy client's needs and drive growth. Companies with rapid innovation and collaborative efforts thrive; making open-source software (OSS) libraries a hard requirement for reducing project turnaround time. Vast OSS repositories such as Python's PyPi, Node.js's NPM, and Java's Maven offer a treasure trove of ready-to-use functionality that can be implemented quickly - reducing workloads and igniting turnaround times.
However, while these OSS repos promising free, ready-to-use, community-driven code are as much responsible for the tech revolution as faster CPUs, more RAM, and faster network bandwidth, they also represent significant security risks. In just one example of thousands, the Log4J vulnerability that took the cybersecurity industry by storm in December 2021 is hosted within the popular Maven Java repository.
Here are a few more facts to frame the threat that OSS, as well as closed-source supply chain vulnerabilities, pose:
Mandiant's M-Trends 2022 reports that 17% of all security breaches start with a supply chain vulnerability
Google product manager Andy Chang cited industry sources reporting a 650% surge in software supply chain attacks in 2021 when the use of OSS increased dramatically
In January 2022, the White House held a special meeting to address the increasing threat of software security
To safely reap the benefits of OSS it's clear that development operations need to implement measures to assure the security of third-party software. In this article, we shed light on a recent initiative that provides some refuge from the storm (Google's Assured Open Source Software Program) as well as outline some other ways to navigate this complex landscape with caution and diligence.
In May of 2022, Google launched the Assured Open Source Software initiative, allowing developers to leverage Google's security research that combines both automated scans and manual processes to vet Java and Python libraries. This new service is free for public use and discloses which packages Google endorses and uses internally. Most importantly the program reduces risks associated with using third-party libraries thanks to Google's proactive code audits and bug patching.
The project promises to deliver industry-standard Software Bill of Materials (SBOM) for each Java and Python package included in the program and libraries will be digitally signed to prevent tampering. The program currently has just over 1000 assured libraries - a fairly conservative number but it's fair to say these are core libraries, fundamental to Java and Python application design giving developers a solid foundation to build upon.
Limiting the use of OSS to only vetted libraries is a good step towards remediating the risk of dangerous third-party OSS, but the initiative's limitations mean that complex DevOps and application design will no doubt demand that developers extend their reach to third-party OSS libraries outside the program's scope.
Here are some other strategies and initiatives that can help mitigate the risks associated with open-source libraries:
Supply Chain Levels for Software Artifacts (SLSA) refers to a set of security compliance standards for software supply chains. SLSA compliance is designed to verify that software used within an organization adheres to a set of principles and practices and categorize it accordingly. Developed by Google, the SLSA framework defines four levels of compliance that organizations can achieve:
SLSA Level 1 (Basic): This level focuses on establishing a strong foundation for software security and includes practices such as using version control, conducting code reviews, and performing vulnerability scanning
SLSA Level 2 (Verifiable): Level 2 builds upon Level 1 and introduces more rigorous security practices such as cryptographic signatures for software artifacts, establishing software bill of materials (SBOM), and enforcing code provenance
SLSA Level 3 (Defined): Level 3 further enhances security by requiring the establishment of a secure build environment, implementing automated testing, and conducting security assessments
SLSA Level 4 (Advanced): Level 4 represents the highest level of SLSA compliance and includes advanced security measures such as vulnerability management, penetration testing, and continuous monitoring of the software supply chain for potential security issues
By adopting SLSA-compliant practices, organizations can enhance the security and trustworthiness of their software supply chains. It helps mitigate the risks associated with compromised or malicious software components, making it easier to detect and address security vulnerabilities and protect against supply chain attacks.
There are a number of software tools to expedite the task of static application security testing (SAST) such as OWASP Dependency-Check, GitLab SAST, Retire.js for Javascript, and the popular commercial platform Snyk. These tools help developers identify and fix vulnerabilities in their software dependencies.
Organizations should implement security testing at various stages of the software development life cycle to ensure that vulnerable packages are weeded out early in the process, and continuously during development to ensure that included libraries are being used in secure ways.
OpenSSF (Open Source Security Foundation) is a collaborative initiative focused on improving the security of open-source software founded by big-tech industry leaders including Google, IBM, Microsoft, GitHub, Red Hat, OWASP, and the Linux Foundation.
It was launched in August 2020 as a cross-industry effort to bring together organizations and individuals with the goal of addressing security challenges in open-source software development and serves as vendor-neutral forum for collaboration, knowledge sharing, and development of best practices related to open-source software security.
Open-source software (OSS) libraries offer significant benefits in terms of reducing project turnaround time but come with inherent security risks. Google's Assured Open Source Software Program gives development teams a set of core Java and Python libraries, allowing them to safely take advantage of OSS. Integrating SLSA compliance, scanning OSS packages with security tools, and engaging with initiatives like OpenSSF are additional measures to mitigate risks and enhance the security of software development.
Incorporating security strategies into all stages of the software development life cycle is critical and can help organizations navigate the complex landscape of open-source library security. And if you're looking for even more in-depth expert advice on the subject? Reach out today or sign up for our free newsletter.
October 24 - Blog
Packetlabs is thrilled to have been a part of SecTor 2024. Learn more about our top takeaway's from this year's Black Hat event.
September 27 - Blog
InfoStealer malware plays a key role in many cyber attacks, enabling extortion and lateral movement via stolen credentials. Learn the fundamentals about InfoStealers in this article.
September 26 - Blog
Blackwood APT uses AiTM attacks that are set to target software updates. Is your organization prepared? Learn more in today's blog.