Open-source software (OSS) packages have become somewhat of a necessity for developers in recent years. In fact, they are so widely adopted that you would be hard pressed to identify an organisation that doesn’t use any form of software containing these communal elements, writes Andy Swift, Cyber Security Assurance Technical Director, Six Degrees.
This is because, by incorporating such packages into their software rather than having to produce their own elements from scratch, software designers can save countless development hours. After all, why spend the time creating and inevitably fixing your own software code when you can plug in an existing solution? While its utility is undeniable, the near universal usage of OSS amongst the developer community has now drawn the attention of cyber-attackers looking for effective targets.
OSS vulnerabilities
When it comes to the vulnerabilities of OSS, there are a plethora of risks to be mindful of – as the consequences of an attack leveraging OSS vulnerabilities can be disastrous. Organisations must be cautious even when leveraging widely trusted and adopted OSS solutions, as their incorporation into software integrations can often leave end users oblivious to the threats they are exposed to should that software be compromised.
An infamous example underscoring what can happen when such vulnerabilities are left unprotected is Log4j, a popular logging utility used by scores of organisations for recording events such as status reports and errors. In an incident which is now referred to as ‘Log4shell’, a zero-day vulnerability in this software allowed threat actors to employ malicious code in order to compromise systems incorporating the Log4j utility. This allowed hackers to launch an estimated 1.2m attacks while remaining largely undetected. At the time, its effect was described as “enormous” and the consequences of its implementation into countless commercial products underlined the significant, widespread damage that could occur when weak points are exposed.
One of the most substantial risks of OSS is the fact that there is no strict regulatory body monitoring its distribution. Public OSS repositories, the source of the majority of these packages, are regularly inundated with new third-party software and application updates. As a result, the sheer volume on offer makes security vetting a huge undertaking – a responsibility that falls largely on security researchers and firms who do not have the capacity to thoroughly deal with this demand.
OSS repositories
Preying on the shortfall of these vetting processes, hackers have exponentially increased their attacks on OSS repositories in recent years, especially when it comes to targeting supply chains. One method of attack they use is to manipulate legitimate packages with malicious insertions, which are then re-distributed on these public repositories under the guise of pre-existing software. In addition to hijacking trusted packages, another strategy they use is to produce something brand new to upload to the sites. These packages are often actually helpful and suitable for purpose on the surface but will have secondary malicious code embedded within. When it comes to this approach, some cybercriminals even go as far as creating social media profiles presenting themselves as credible developers to establish a more convincing persona.
Who is at risk?
Those industries relying on predictable applications are most likely to be at risk of OSS attacks on established software. The banking sector, for example, has a formulaic and legacy-led application landscape, offering an attractive target for open-source-focused attackers. Here, hackers can anticipate the software that will be run by individual banks based on established industry preferences, injecting malicious code accordingly. Rather than attacking a higher volume of random targets with more unpredictable infrastructures, by taking this approach, attackers can be more pragmatic with their potential targets – focusing on those with foreseeable choices of software for greater efficiency and reliability.
However, no industry is invulnerable to such attacks, not least because the development ecosystem is geared towards optimising the use of open-source technologies. Developers sharing packages throughout their community is not a new concept by any means. Modern work environments in particular usually operate using a significant amount of ‘off the shelf’ software – many with some form of OSS package built in. But the major issue today is that, while numerous malicious security problems within OSS packages have been flagged because they predominantly cater to larger audiences, by the time these vulnerabilities surface, they are often too entrenched within developed software to be isolated and removed effectively.
Mitigating OSS threats
In the case of the Log4shell incident, the impact of the attack was greatly worsened by widespread ignorance about which software integrations were contaminated. To protect against future attacks of the same nature, organisations must have an in-depth understanding of every piece of software they deploy. Thus, in this context, comprehensive documentation detailing OSS integrations can be invaluable.
This is why there’s a need for a readily accessible software directory that aids rapid vulnerability assessments. Though if this is not available, tools that analyse and identify packages within software can effectively see organisations through should the worst occur.
Ultimately, protection from OSS attacks hinges on awareness and knowledge. Although open-source software has been immensely beneficial over a long period of time, proven by its widespread adoption, it is not without its weaknesses. As OSS becomes universally incorporated, the vulnerabilities it can contain are inevitably going to be magnified. In this regard, greater levels of knowledge, vigilance, and proactive measures are the best defence in this evolving and crucial sector of the technology industry.
