Open source software (OSS) packages are vital to application development, so they demand closer attention to reduce cybersecurity risk.
The software development process is getting quicker. Devops teams are under increased pressure to go to market, and they’re able to work quickly, thanks in part to open-source software (OSS) packages.
OSS has become so prevalent that it’s estimated to factor into 80 to 90% of any given piece of modern software. But while it’s been a great accelerator to software development, OSS creates a large surface area that needs to be protected because there are millions of packages created anonymously that developers use to build software.
Most open-source developers act in good faith; they are interested in making life easier for other developers who might encounter the same challenge they’re looking to solve. It’s a thankless job because there’s no financial benefit to publishing an OSS package and plenty of backlash in comment threads. According to GitHub’s Open Source Survey, “the most frequently encountered bad behavior is rudeness (45% witnessed, 16% experienced), followed by name calling (20% witnessed, 5% experienced) and stereotyping (11% witnessed, 3% experienced).”
Unfortunately, not every OSS package can be trusted. Attribution is hard to track for changes made to open-source code, so it becomes almost impossible to identify malicious actors who want to compromise the code’s integrity. Malicious open source software packages have been inserted to make a point about big companies using these packages but not funding their development, and at other times for purely malicious reasons.
If an OSS package is used to build software and has a vulnerability, that software now has a vulnerability, too. A back-door vulnerability can potentially compromise millions of applications, as we saw with Log4j last year.
