Open source software development, where each piece of the code is pulled from disparate libraries, creates a web of complexities. With it, unknown and unaccounted for code can creep in.
"It doesn't even take much imagination; the deeper you get into [open source], it's incredibly complex," said Royal Hansen, VP of security at Google, during an industry roundtable Thursday. "Think of all the open source libraries, which the world depends upon."
Of IT leaders, 90% use open source software in their enterprises, according to Red Hat's 2021 State of Enterprise Open Source report, which surveyed 1,250 IT leaders globally. Eighty-seven percent of leaders say open source is just as secure as proprietary software, if not more so.
With software dependencies commonplace, it's up to industry to clear a path to greater supply chain security in software. If more organizations participate in the open source community looking for vulnerabilities, theoretically fewer software supply chain attacks would occur.
"There's an awful lot of stuff that we depend on," said Gary McGraw, co-founder of the Berryville Institute of Machine Learning, during the call. A combination of open source and proprietary code weakened dependency analysis as code transitioned from a single place of compliance to code assembled "on the fly dynamically all over in some cloud instance or Kubernetes."
The top reasons companies use open source software is fairly evenly split, according to Red Hat:
- 35% use it for higher quality software
- 33% use it to access latest innovations
- 30% use it for better security
- And 30% use it to "safely leverage open source technologies"
Industry is still working on the airtight cryptography of where open source meets proprietary software packages, said Hansen. Without it, the risk of a supply chain attack is woven throughout every company using an open source software package.
There are technologies companies can use to insulate against a software supply chain attack by using tools like SecurityScorecard, BitSight or QuadMetrics which rate companies' external security and potential weaknesses. However, the tools are limited to detecting the typical causes of a breach, including phishing attacks or human error.
"We can't assume that just because we're using something open source that there isn't going to be backdoors," said Neil Daswani, co-director of Stanford Online's Advanced Cybersecurity Certificate Program, and former CISO for Symantec CBU and LifeLock, and co-author of "Big Breaches: Cybersecurity Lessons for Everyone," on the call.
Notable attacks, including Equifax's 2017 data breach, could be traced back to issues in open source software. The bug exploited in the Apache Struts server, an open source software pack, was left unattended for months.
While the open source nature of the Apache Struts server was not a direct cause of the breach, third-party software requires another set of eyes, according to Daswani. Equifax had a sub-group for monitoring third-party threats, the Global Threat and Vulnerability Management team, but lacked a close-loop vulnerability management system.
There are existing tools for scanning open source for vulnerabilities, though tools can easily miss some vulnerabilities. "We have to ask ourselves, 'What are the things that are really going to happen?' And I think that addressing the managerial root causes, and the technical root causes have to have to bubble up," said Daswani.
Even with reliable technologies, management needs improvement;\, and that often means making room for the CISO at the boardtable.
"If software security isn't even on the CISO's desk, and the CISO is not talking to the board, we have a really big, big problem," said McGraw.
Combining available technologies and management, companies should have a better grasp of understanding potentially vulnerable code derived from outside libraries. Following the SolarWinds Orion compromise (which is not open source), CEO Sudhakar Ramakrishna gave his CISO "complete autonomy" to prevent a product release because of time-to-market reasons, he said during the call.
"The tools, techniques, processes that my CISO uses to attack my own products — nobody knows in the company, outside of myself," said Ramakrishna. The power the CISO has is somewhat independent from the rest of the business.