The Nightmare Scenario: Securing Open Source Software
Earlier this year, a Microsoft developer made a startling discovery – someone had inserted a backdoor into the code of open source utility XZ Utils, which is used in virtually all Linux operating systems. The operation began two years earlier when that someone, a person nicknamed JiaT75, started contributing to the XZ Utils repository on GitHub.
A cybersecurity expert called this attack a ‘nightmare scenario’ and ‘the best executed supply chain attack we’ve seen.’ This incident serves as another stark reminder that open source software, given how widespread it is, can pose significant security risks. It follows other well-known cybersecurity incidents involving open source software like Heartbleed, Shellshock, and Log4j.
At TechCrunch Disrupt 2024, Bogomil Balkansky, partner at Sequoia Capital; Aeva Black, the section chief for open source security at the U.S. Cybersecurity and Infrastructure Security Agency; and Luis Villa, the co-founder of Tidelift, sat down to discuss the challenges of securing open source software.
The Challenge of Securing Open Source Software
"I like to say open source is not free like pizza. It’s free like a puppy. You take it home and don’t feed it, it’s going to eat your furniture, your shoes," said Black. Balkansky called open source software the ‘**lifeblood of software,’ which makes it ‘foundational and baked into everything.’ The problem, Balkansky added, is that ‘the business model for open source is still very much work in progress.’
So, who should take care of it and pay to secure it? Villa and his team at Tidelift propose a model where the company pays open source maintainers to take care of their code and partners to fix vulnerabilities. CISA, Black explained, is now getting involved, launching initiatives to tell businesses what are the best —and worst— security practices when it comes to deploying open source software.
"We’re here to participate as a member of the open source community and work with them," said Black, who thinks open source software is a public good. In terms of how to go forward, Balkansky said that ‘the solution to open source security, at least to some degree, also needs to be open source,’ and warned that ‘there are no silver bullets.’
The Need for Multiple Approaches
Villa said that there’s a need for ‘multiple approaches’ and ‘defense in depth,’ which means there’s a need for several layers of security to protect the open source ecosystem. And Black said that software builders need to know which open source software is in their products.
"We need better engagement to enable everybody to do that with less effort and less burden on individual volunteer maintainers and nonprofits," Black said.
The Role of CISA
CISA, under Aeva Black’s leadership, has taken a proactive approach to addressing the security risks associated with open source software. As Section Chief for Open Source Security at CISA, Black is working tirelessly to educate businesses about the importance of secure open source practices and to provide resources for companies to mitigate potential risks.
Black emphasized that CISA is committed to participating as a member of the open source community and working with them to address these challenges. "We’re here to participate as a member of the open source community and work with them," she said.
The Business Model for Open Source
Bogomil Balkansky, partner at Sequoia Capital, noted that the business model for open source is still in its infancy. He emphasized that the solution to open source security needs to be open source itself. "There are no silver bullets," he warned.
Luis Villa and his team at Tidelift have proposed a model where companies pay open source maintainers to take care of their code and partners to fix vulnerabilities. This approach recognizes the value of open source software and acknowledges that it requires ongoing maintenance and security updates.
Conclusion
The discovery of the backdoor in XZ Utils serves as a stark reminder of the potential risks associated with open source software. The discussion at TechCrunch Disrupt 2024 highlights the need for multiple approaches to securing open source, including defense in depth and better engagement among companies and maintainers.
As CISA continues to play a critical role in addressing these challenges, it is clear that there is no easy solution to securing open source software. However, by working together as an industry, we can mitigate potential risks and ensure the continued success of open source software.
Recommendations
- Companies should prioritize secure open source practices and invest in ongoing maintenance and security updates.
- The business model for open source needs to evolve to recognize its value and require ongoing support.
- CISA’s initiatives to educate businesses about secure open source practices are a crucial step forward in addressing these challenges.
- Multiple approaches, including defense in depth and better engagement among companies and maintainers, are necessary to address the security risks associated with open source software.
By acknowledging the potential risks associated with open source software and taking proactive steps to address them, we can ensure the continued success of this essential component of our digital infrastructure.