open source security

Open source software security may soon improve

Print Friendly, PDF & Email

The relationship between cybersecurity professionals and software developers has always been somewhat strained because many of the security crises that roil organizations can be traced back to flaws in applications. Sometimes that flaw is the direct result of a mistake, while other times the issue is that legacy applications written in C or C++, which are vulnerable to overflow attacks.

Fortunately, people are starting to pay a lot more attention to application security in the wake of a series of high-profile breaches. Much of that focus is squarely on open source software, such as the widely employed Log4j log management tool for Java applications that was recently found to have critical vulnerabilities that many organizations are still struggling to patch. That specific crisis led the Biden administration to issue an executive order requiring improved processes for maintaining application security for federal agencies. The executive order was soon followed by a meeting at which the administration urged leaders of the open source community to find ways to make open source software more secure.

A plan for better security

The Open Source Security Foundation (OpenSSF), an arm of the Linux Foundation, has now detailed a plan to better secure open source software by focusing on 10 streams of investment that, in total, would require more than $150 million. That funding is expected to address everything from developer security education and the building of free tools for analyzing code before it is deployed in a production environment to the setting up of an incident response team that would, for example, reduce the time required to patch any newly discovered zero-day vulnerabilities. The money required to achieve that goal is expected to be provided by both governments around the world and corporations that today make extensive use of open source software.

While $150 million may sound like a lot of money, it pales in comparison to the economic damage a single vulnerability such as Log4jShell has already inflicted. Multiply that amount across open source software projects that are prone to similar zero-day vulnerability discoveries, and it quickly becomes apparent that $150 million is a relatively small amount to pay to fix software that global economies valued in the trillions depend on. More than a few cybersecurity professionals are rightly wondering why it took so long for the software community to realize what the true level of risk to the global economy really is.

Important reminders

Of course, none of the proposed remedies are going to have any kind of immediate effect. Decades of relying on flawed tools and techniques to build applications are not going to be resolved overnight. However, cybersecurity professionals can take some solace in the fact that application security should improve in the months and years ahead.

In the meantime, cybersecurity professionals should remind developers that no matter how cool or popular an open source projects might be, they should not reuse code provided by strangers. The biggest single threat to software supply chains today is the simple fact that developers have too much faith in the integrity of the repositories they employ to access code, which they often blithely cut and paste into applications. Then they, and the cybersecurity teams that support them, spend months looking for instances of that code the next time a zero-day vulnerability inevitably gets discovered.

Scroll to top