remote code execution

Developer community rallies to secure open source software

Print Friendly, PDF & Email

An ongoing series of remote code execution (RCE) attacks finally appears to be providing the motivation developers need to address long-standing vulnerabilities that cybersecurity teams would otherwise have to clean up after they’ve been exploited.

The latest example of an RCE attack involves a popular JavaScript library known as UAParser.js that is used widely on web sites. Downloaded millions of times a week, the library was injected with extra scripts that would download and execute binaries from a remote server. The library has since been patched, but it’s now only a matter of time before similar types of RCE attacks are launched.

Examples of other RCE attacks include malicious code injected into Confluence collaboration software from Atlassian as well as Azure Open Management Infrastructure (OMI), a software agent that is preinstalled on the Microsoft cloud platform. The most infamous example of a recent RCE attack is, of course, the compromise of the SolarWinds software supply chain.

Big investments in protecting open source projects

The seriousness of the issue has resulted in the Open Source Security Foundation (OpenSSF), an arm of the Linux Foundation, raising $10 million to help maintainers embrace best practices to better protect open source projects from malicious code that might be injected into software by bad actors pretending to be just another contributor to the project.

Financial commitments came from both Premier members of the OpenSSF, such as Amazon, Cisco, Dell Technologies, Ericsson, Facebook, Fidelity, GitHub, Google, IBM, Intel, JPMorgan Chase, Microsoft, Morgan Stanley, Oracle, Red Hat, Snyk, and VMware, as well as General members such as Anchore, Apiiro, AuriStor, Codethink, Cybertrust Japan, Deepfence, Devgistics, DTCC, GitLab, Goldman Sachs, JFrog, Nutanix, StackHawk, Tencent, TideLift, and Wind River.

That investment comes on the heels of a previous $1 million pledge from Google to help open source developers adhere to guidelines established by the National Institute of Standards and Technology (NIST) arm of the U.S. Department of Commerce in response to the recent executive order on cybersecurity issued by the Biden administration. Administered as a pilot program by the Linux Foundation, that effort is part of a larger $10 billion commitment that Google previously made to open source security.

Collectively, these initiatives provide developers with everything from free training and tools for building software with materials that identify the components used to build an application to funds that compensate developers for addressing vulnerabilities found in open source software that is deemed critical to the industry.

Changing attitudes about open source

Given the amount of dependency there is now on open source software within even commercial applications, the current level of focus on open source software security is a welcome if not overdue change. Too many contributors to open source software assume that securing the free software that they were gracious enough to create is the responsibility of the organization that uses it. While that “user beware” approach to security is understandable from individuals that are not compensated for their efforts, there’s clearly a balance to be struck between taking no responsibility for security and giving end users more confidence in the code being provided.

The challenge, of course, is most developers don’t have a lot of security expertise. Otherwise, these issues wouldn’t exist in the first place. Cybersecurity professionals are going to need to participate in a meaningful effort to better secure software. That creates a clear need to find a way to make it easier for cybersecurity professionals to participate in these initiatives. In fact, the first order of business for many of the maintainers of these projects may arguably be to put out a call for help among cybersecurity professionals willing to work alongside them to create a better outcome for all concerned.

Scroll to top