As vital as we know open source is to building software in today’s world, it’s a mistake to think of it as a silver bullet. The ability to expedite software development is clear– but so is the significant room for error, when not properly managed.
Two years ago our CTO, Brian Fox, started chronicling a disturbing turn of events that showed that a shifting landscape of attacks based on OSS consumption was emerging. Since then, we’ve seen a consistent increase in malicious open source and supply chain attacks that make one thing clear– it’s only going to get worse. Most recently it was the Bootstrap-sass hack and before that, the event-stream attack.
At a NADOG event earlier this month, Brian shared even more of our research on better understanding these attacks and how the open source industry needs to change given today’s new normal. A video of his presentation is below– I definitely recommend a listen.
A little background on how we got here: five years ago, large and small enterprises alike witnessed the first prominent Apache Struts vulnerability. In this case, Apache responsibly and publicly disclosed the vulnerability at the same time they offered a new version to fix the vulnerability. Despite Apache doing their best to alert the public and prevent attacks from happening, many organizations were either not listening, or did not act in a timely fashion— and, therefore, exploits in the wild were widespread. Simply stated, hackers profit handsomely when companies are asleep at the wheel and fail to react in a timely fashion to public vulnerability disclosures.
Since that initial Struts vulnerability in 2013, the community has witnessed Shellshock, Heartbleed, Commons Collection and others, including the 2017 attack on Equifax– all of which followed the same pattern of widespread exploit post-disclosure.
Shift forward to today and hackers are now creating their own opportunities to attack.
This new form of attack on our software supply chains, where OSS project credentials are compromised and malicious code is intentionally injected into open source libraries, allows hackers to poison the well. The vulnerable code is then downloaded repeatedly by millions of software developers who unwittingly pollute their applications to the direct benefit of bad actors.
It’s become clear that we are in the middle of a systematic attack on the social trust and infrastructure used to distribute open source. In just a few years, we’ve gone from attacks on pre-existing vulnerabilities occurring months after a disclosure down to two days – and now, we are at the point where attackers are directly hijacking publisher credentials and distributing malicious components.
This troubling trends makes it even more vital for enterprises to understand what open source components they’re using and where; and increasingly important for open source developers to pay attention to their own security.