For the past few years, open source software repositories such as npm and PyPI have been the target of a growing number of malicious campaigns aimed at developers. The problem is getting worse. This year alone, ReversingLabs threat researchers discovered seven malicious campaigns on PyPI and npm, with many of them using tactics like typosquatting and code obfuscation to fool developers into downloading malicious packages.
As a result of this surge in malicious activity, governments have stepped in to address the growing risks to open source software (OSS). In the U.S. for example, the Office of the National Cyber Director (ONCD), in coordination with the Cybersecurity and Infrastructure Security Agency (CISA), put out a Request for Information (RFI) in regards to OSS security. In Europe, the E.U. has been undergoing the lengthy process of amending and pushing forward the Cyber Resilience Act (CRA), which addresses liability for software security and has big implications for open source maintainers.
ConversingLabs host Paul Roberts sat down with Mikaël Barbero of the Eclipse Foundation to get a sense of how the open source community is dealing with this surge in attacks, as well as how policy initiatives are going to impact OSS generally,
[ See ConversingLabs with Barbero: The State of Open Source Software Security ]
A changing landscape for OSS threats
Eclipse is a not-for-profit that stewards several widely-used open source projects, such as Eclipse ID, Jakarta EE, and Eclipse Temurin. Barbero’s role as the Head of Security at the foundation gives his team the responsibility of securing Eclipse’s 400+ open source projects. Given how widely used Eclipse’s projects are by the global developer community, maintaining their security posture is an essential task.
In his role as the Head of Security at Eclipse, Barbero has become well aware of how the threat landscape for OSS has changed over the past two decades. He made the point to Roberts that “open source has won” in regards to its legitimacy and consistent popularity among developers when compared to proprietary software. But, Barbero warns, “with great power comes great responsibility,” meaning that OSS has become both an asset and a liability to development organizations, especially now with threat actors abusing it:
“What we see is that open source is so ubiquitous that they (threat actors) are not looking for zero days anymore, but they are trying to put zero days (into repositories) by themselves.”
This shift in threat actors’ methods has made OSS supply chain attacks all the more detrimental to the global developer community.
Barbero works closely with government agencies, including CISA in the U.S. and the E.U. to collaborate and decide on best practices for OSS security. His team at Eclipse has been tuned into their policy efforts, such as the U.S.’s RFI and the E.U.’s CRA, to ensure that these efforts best meet the needs and realities of the OSS community.
Hands off, OSS!
Initiatives like the National Cybersecurity Strategy (PDF) and the OSS RFI are good steps, because they don’t erect barriers onto OSS maintainers and contributors:
“You should not put the burden of any additional regulation on the open source software developers.”
When it comes to the E.U.’s Cyber Resilience Act (CRA), Barbero said the legislation “has some missteps along the way, especially around open source.” He explained to Roberts that as it currently stands, the CRA will regulate OSS for “commercial activity,” which if done incorrectly, could negatively impact the industry and ability for OSS to be used as a global resource.
To hear more about Barbero’s take on the current threats posed to OSS, his concerns and hopes for policy initiatives, as well as solutions that developers can rely on right now to mitigate the problem, watch the latest episode of ConversingLabs: The State of Open Source Software Security, or listen to it wherever you get your podcasts.
- See Webinar: Secure by Design: Why Trust Matters for Risk Management
- Supply Chain Risk Report: Learn why you need to upgrade your AppSec
- See special report: The Evolution of Application Security
- Track key trends: The State of Supply Chain Security 2022-23
- Special report: C-SCRM and federal supply chain security guidance
- Dev & DevSecOps