Open source code has conquered the world of software. Almost every website, API, and application is built on an enormous stack of open source libraries and frameworks that totals many millions of lines of code. Millions of corporations and developers are taking advantage of the expansive array of components, zero cost, and easy integration to create more-sophisticated software far faster than building it themselves.
I am a huge advocate of open source and have led several very successful open source projects. But along with all the benefits of open source components, we have to recognize some new risks. There are millions of these libraries in all the different software languages, such as Java, .NET, Ruby, Python, Go, and many more. Dozens of new vulnerabilities are discovered every week, but we’re only scratching the surface. The problem is that only a handful of talented security researchers are doing the highly skilled work of testing this code.
That means that there are, almost certainly, large numbers of latent vulnerabilities in open source software. Having a researcher discover one of these and publish it seems like an expensive fire drill for companies, because they have to search to see if they're using the library, replace it, recode their application to match, retest, resecure, and redeploy. But if a malicious actor finds the vulnerability and starts attacking companies with it, the damage can be much more expensive. Web applications and web APIs run with almost full privilege inside a company's data center, and all that open source inherits the power to do anything the application can do.
Bad actors have recognized the power of the software supply chain attack vector. If finding a vulnerability gets too hard, they can switch to attacking the open source projects themselves. For example, they could simply join a project and contribute code that contains or creates a weakness. Or they could target the open source repositories cloning an existing library, introduce malicious code, and make it available with a similar name as the original. Hackers have even targeted the development "tool chain" to inject their code into binaries. In all these examples, developers and end users alike would not see the attack happening in their data center, but they would be completely owned.
The ramifications of this are staggering. If an attacker was able to infiltrate a popular library like log4j, they would very quickly be running with privilege inside most data centers in the world. They could use this access to not only attack the targeted application but as an internal launching point for attacks on the organization's internal network. And that's just a single library. This is the easiest path to seriously disrupting the Internet and harming huge numbers of people.
Organizations need to minimize their exposure and establish the capability to respond to novel vulnerabilities and attacks within hours. Unfortunately, most organizations take months to respond and are very exposed in the interim. Every company that is betting their future on software needs to have a strategy for beefing up the security of their software supply chain. Here are a few practical tips:
In an age of "digital transformation initiatives" your software supply chain is the key to creating and deploying applications quickly. Please make sure you don't inadvertently undermine your entire business in the rush to reinvent it.
Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early-bird rate ends August 31. Click for more info.A pioneer in application security, Jeff Williams is the founder and CTO of Contrast Security, a revolutionary application security product that enhances software with the power to defend itself, check itself for vulnerabilities, and join a security command and control ... View Full Bio