{"id":18938,"date":"2021-08-05T21:41:35","date_gmt":"2021-08-05T21:41:35","guid":{"rendered":"https:\/\/www.esecurityplanet.com\/?p=18938"},"modified":"2021-08-05T22:39:15","modified_gmt":"2021-08-05T22:39:15","slug":"open-source-security-a-big-problem","status":"publish","type":"post","link":"https:\/\/www.esecurityplanet.com\/applications\/open-source-security-a-big-problem\/","title":{"rendered":"Open Source Security: A Big Problem"},"content":{"rendered":"

Open source security has been a big focus of this week’s Black Hat conference, but no open source security initiative is bolder than the one proffered by the Open Source Security Foundation (OpenSSF).<\/p>\n

Amid discussions on the security of open source technologies like eBPF and Hadoop, OpenSSF speakers Jennifer Fernick, SVP and head of global research at NCC Group, and Christopher Robinson, Intel’s director of security communications, outlined the group’s vision to secure open source software “end to end, at massive scale.”<\/p>\n

OpenSSF was formed a year ago by the merger of Linux Foundation, GitHub and industry security groups. It has more than 50 members so far, from tech giants like IBM, HPE, Intel, Facebook, Google, Cisco, Microsoft, Huawei, Samsung and VMware, to small companies, open source-based companies like Red Hat, Suse and Canonical, and open source users like JP Morgan Chase, Comcast and Uber.<\/p>\n

Open Source Software is at the Heart of Everything<\/h2>\n

Fernick and Robinson cited Sonatype research that FOSS (free and open source software) constitutes 80-90% of any piece of modern software (see chart below).<\/p>\n

\"open<\/p>\n

A Synopsis report found that 84% of these codebases had at least one vulnerability, with the average having 158 per codebase. Most OSS vulnerabilities are discovered in indirect dependencies (Snyk). A typical vulnerability can go undetected for 218 weeks, and on average takes 4 weeks to get resolved once the project is alerted to it (Octoverse).<\/p>\n

At a time when the time between vulnerability disclosure and exploit creation has gone from 45 days to 3, “the number of vulnerabilities in the wild outpaces the speed at which the security community can patch<\/a> or even identify them,” and automated attacks are quickly weaponizing even little-publicized flaws, Fernick said.<\/p>\n

The distributed, public-facing nature of open source projects is one issue contributing to the security challenge, as can be limited project staffing. They noted that the Heartbleed OpenSSL vulnerability<\/a> persisted for years in part because the project had just two full-time developers to develop and maintain 500,000 lines of code. Nearly 100,000 public web servers remained vulnerable five years later.<\/p>\n

Robinson encouraged those who use open source software to help improve security by giving back.<\/p>\n

“We all use the software,” he said. “Let’s all find ways to help improve it.”<\/p>\n

Big Ambitions<\/h2>\n

OpenSSF plans to tackle the OSS security problem in a big way, with stated objectives like “prevent classes of bugs from being possible at all.”<\/p>\n

The group wants to concentrate resources on securing the most critical libraries, components, and projects, a wise approach that should benefit everything using the same codebase, and a number of training, design, testing and vulnerability disclosure and patching projects are in the works. Robinsons also discussed OpenSSF’s reference architecture – see graphic below.<\/p>\n

\"OpenSSF<\/p>\n

A number of successes so far include:<\/p>\n