10-point plan to enhance the security of open source software revealed

Suggestions for improving security Open Source The software was unveiled at a summit attended by celebrities in the tech industry. The OpenSource Security Summit, sponsored by the Linux Foundation and the OpenSource Software Security Foundation with the support of the US government, is a series of supply chain cyberattacks made possible by flaws in open source code.

According to one study, cyber attacks in the software supply chain increased by 650% last year, with many using open source libraries (pic Peach_iStock / iStock).

Held on the 1st anniversary of Of President Joe Biden Executive Orders to improve national cybersecurityYesterday’s summit was attended by more than 90 executives from 37 companies and government leaders from six government agencies, including the National Security Council (NSC) and the Cyber ​​Security Infrastructure and Security Agency (CISA). Companies including Amazon, Ericsson, Google, Intel, Microsoft, and VMWare are part of the initiative, promising a total of $ 30 million to fund the response with a 10-point plan to enhance security. ..

This plan was announced as part of the summit. This includes facilitating developer training, implementing digital signatures, and auditing the 10,000 most popular open source code libraries. Open source experts believe that some elements of the plan are promising, but others may prove to be too normative to benefit the open source community. I have.

Why do you need to improve open source security?

The 10-point plan proposal was designed by the Linux Foundation and the OpenSource Software Security Foundation to standardize security practices within the open source community. Open source repositories are widely used by developers, and on average, 85% of all applications are made up of open source code, according to a survey by open source security vendor Sonatype.

A flaw in this code can cause serious problems if exploited by hackers.The most recent example that has received the most attention Log4Shell vulnerabilityIt came to light before Christmas last year. Deficiencies in commonly used Java libraries Hackers were used to launch supply chain attacks on customers of companies whose systems were compromised, including the world’s largest software vendors.

World wide, Software supply chain attack According to a survey by professional security provider Sonatype, it has surged recently, up 650% year-on-year last year.

Content from partners
Leverage the cloud and expertise to optimize engagement from onboarding to conclusions

How Enterprises Get Best Prepared for Financial Digitalization

How AI empowers Middle Eastern energy operators to deliver oil and gas 4.0

Open Source Software Security: How Can You Improve?

A free security coding course for the potential solutions shown in the 10-point plan Software developer Anyone who wants to contribute to the open source community, implementation Digital signature Third-party security checks for the most commonly used open source components to validate developers and eliminate malicious attackers.

Security expert who spoke to Tech monitor The plan says the end user needs to take more responsibility. “The problem is that all these rules are the developers who create this software and put more strain on them,” claims Peter Chestna, CISO of the open source security testing platform Checkmarx. “It doesn’t see anything about consumers,” Chestna said to users of open source code. [vulnerability] When announced or malicious code is announced. ”

Brian Fox, CTO of Sonatype, agrees. “Software is written for humans and will be error-prone,” he says. “Therefore, if you are consuming but do not take ownership and you do not have the steps to deal with it. [to security incidents] It doesn’t matter what happens [with the software] -It will never be perfect. “

Is it realistic to enhance training in open source software security?

Some of the ideas presented in the plan could keep software developers away from open source. Imposing educational standards on developers before contributing to the repository can discourage people from volunteering.

“Some of these open source people are paid contributors,” he explains. “But many are developers doing it as a hobby. Are you going to keep them out and say,” I can’t do this anymore “? I think it’s a mistake. ”

However, Fox believes that educating them for free will ultimately have the desired effect. “If you’re a developer and you don’t have this minimum training standard, finding a job can be difficult,” he says. “In some industries, that alone is an incentive. Is it forcing people? It’s not perfect, but it certainly can greatly encourage, enable and empower them.”

Another controversial point is auditing the top 10,000 libraries. This can range to hundreds of thousands or even millions of codes, including sub-libraries, Chesna says.

He adds that if the code is protected, other libraries will be targeted by hackers instead. “When you start saying I’m going to target the top 10,000, this is like saying I’m going to lock the front doors and windows of my house,” says Chestna. .. “You are not looking at the back door. We are just moving the problem.”

Overall, Chestna believes the plan is heading in the right direction, but it can be too normative for an open source situation. “I think about half of that is heading in the right direction and should be prioritized,” he says. “The other half is to talk about obligations and force people to do what they don’t want to do frankly.”

But that could be the first step in a journey to protect open source software, says Fox of Sonatype. “This is a marathon, not a sprint,” he adds. “Therefore, some of these will take a long time to be effectively deployed throughout the ecosystem.”

read more: Mailchimp was hacked and an “exceptional” supply chain attack was launched 10-point plan to enhance the security of open source software revealed

Back to top button