With modern applications now composed of 80 to 90 per cent Free and Open Source Software (FOSS), the Linux Foundation and Laboratory for Innovation Science at Harvard University (LISH) on Wednesday published their second open-source census to promote better security and code management practices.
The first such report appeared in 2015, and focused on enumerating critical components in the Debian GNU/Linux distribution. The latest one, "Vulnerabilities in the Core, a Preliminary Report and Census II of Open Source Software," examines the most commonly used FOSS packages in production applications with an eye toward potential vulnerabilities so organizations can develop better management and security tools.
There reports are part of the Linux Foundation's Core Infrastructure Initiative (CII), a multi-million dollar project backed by Amazon Web Services, Adobe, Bloomberg, Cisco, Dell, Facebook, Fujitsu, Google, Hitachi, HP, Huawei, IBM, Intel, Microsoft, NetApp, NEC, Qualcomm, RackSpace, Salesforce.com, and VMware. The CII provides companies with a way to fund the open source projects they've come to depend on, like OpenSSL.
Through these reports, the Linux Foundation and LISH aim to promote software ecosystem improvements that will help enterprises and organizations become more active in preventing software vulnerabilities and attacks.
"The report begins to give us an inventory of the most important shared software and potential vulnerabilities and is the first step to understand more about these projects so that we can create tools and standards that results in trust and transparency in software," explained Jim Zemlin, executive director at the Linux Foundation, in a statement.
A companion report, "Open Source Software Supply Chain Security [PDF]," makes the case for concern by recalling a series of software package compromises over the past few years. These include" the 2015 repackaging of Apple's Xcode IDE to enable malicious code distribution; the 2016 npm "left-pad" debacle; the 2017 Python package (PyPI) typosquatting and 2018 "Colourama" crypto-stealing incident; and the 2018 backdooring of the npm "event-stream" library, among others.
The report touches on various findings, specifically the need for a standardized naming schema for software components (so everyone understands the specific code being discussed), the importance of developer account security (so identities and packages can't be hijacked), and the challenge of dealing with legacy code (because moving to a revised package may not be an easy process).
A second companion report, "Improving Trust and Security in Open Source Projects," [PDF] offers some actual advice on how to deal with the issues raised in the other two publications. These best practices include:
"Hundreds of thousands of open source software packages are in production applications throughout the supply chain, so understanding what we need to be assessing for vulnerabilities is the first step for ensuring long-term security and sustainability of open source software," said Zemlin. ®
Graph graph graph egg and graph; graph graph graph graph graph graph baked beans graph graph graph
No Neo in 2020? Never mind, The Matrix 4 is out in 2021
A cunning cut won't save this bit of borkery
Problems pile up for grounded craft
Former Facebook, Yahoo! CSO to advise CEO after weeks of soaring popularity and scrutiny
No stopping or slowing down the release cadence of veteran browser
Another reason to hate auto-play videos: they drain your power