Open-Source Security: Gains and Challenges Since Log4Shell
In November 2021, a zero-day vulnerability in a widely used segment of open-source code shocked the technology landscape, igniting a fervent campaign to fortify the predominantly volunteer-driven open-source ecosystem.
Almost four years later, this initiative has yielded significant advancements, although it has encountered several hurdles, exacerbating its trajectory.
The Log4Shell vulnerability in a well-known Java logging framework galvanized major stakeholders, including the Biden administration, to prioritize open-source security. Leading technology firms such as Amazon, Google, and Microsoft committed substantial funding to bolster security measures.
Much of this progress has been facilitated through the Linux Foundation’s Open Source Security Foundation (OpenSSF), which has generated various tools aimed at assisting developers in assessing and mitigating risks in their code.
The movement that commenced with a White House summit and a comprehensive industry-wide “mobilization plan” quickly faced formidable challenges. A captivating new technology, generative AI, diverted the attention of the tech giants investing in the initiative, while a political transition in the United States diminished governmental efforts to keep the industry aligned.
Experts have underscored the urgency of overcoming these obstacles and doubling efforts toward open-source security. As articulated by Jack Cable, a former senior technical adviser at the Cybersecurity and Infrastructure Security Agency (CISA), “We need to ensure that the momentum we built does not dissipate.”
Progress in Open-Source Security
Since the beginning of 2022, an infusion of resources and attention has catalyzed essential enhancements in open-source security.
Among the most valuable initiatives is the campaign to bolster the security of open-source package repositories. “The repository is the modern distribution point for the majority of consumed software,” noted David Nalley, director of developer experience at Amazon Web Services.
Christopher Robinson, OpenSSF’s chief security architect, emphasized that the objective of this effort is to ensure that “all projects within those ecosystems will inherit strong security practices.”
Amazon has also assisted developers behind a TLS encryption library for the memory-safe programming language Rust to implement a federal-compliant cryptographic algorithm, thereby facilitating organizations, particularly those in regulated industries, to adopt memory-safe code more readily.
Robinson also highlighted OpenSSF’s Sigstore project, which enables developers to digitally sign their code, thus minimizing the risk of tampering. Furthermore, tech companies have embedded security experts in communities centered around specific programming languages, serving as conduits between those groups and the broader ecosystem.
The Cybersecurity and Infrastructure Security Agency (CISA) leveraged its expertise to forge connections between agencies utilizing open-source code and the developers responsible for its creation.
Cable, who now leads AI coding security firm Corridor, remarked, “[We] facilitated connections during incidents,” a strategy he praised for its efficacy amid the 2024 XZ Utils crisis, where a malicious actor exploited social engineering to introduce a backdoor into a widely utilized package.
Perhaps most crucially, firms reliant on open-source packages are increasingly assuming accountability for ensuring their security, moving away from the perception of open-source developers as an unpaid support system.
Arnaud Le Hors, a senior technical staffer specializing in open technologies at IBM, noted a shift in business attitudes, acknowledging that reliance on the open-source community to rectify vulnerabilities in used packages is no longer feasible.
“Significant progress has been made” in recent years, Cable concluded, “and much work continues.”
Investment Declines
Following the revelation of the vulnerabilities exposed by Log4Shell, leading technology companies convened with Biden administration officials and collectively pledged over $30 million towards services, infrastructure, and personnel to facilitate improvements.
While these efforts have introduced some positive outcomes, experts have expressed that they fall short of expectations. Aeva Black, who previously led CISA’s open-source security program, remarked that commitments from tech firms have “not materialized at the expected volume,” resulting in widespread disappointment.
Furthermore, many companies have yet to recognize the value they derive from open-source software, failing to engage with maintainers or contribute back to the community.
Amazon, a key backer of OpenSSF’s initiatives, indicated ongoing investment in open-source security. David Nalley stated that the company is “investing more today than post-Log4Shell,” while also acknowledging that some initiatives have yielded favorable results, while others have not met expectations.
As corporate ambitions wane, governmental influence has transitioned from encouraging progress under previous administrations to significantly less involvement. The Biden administration recently allocated $11 million to open-source security, yet Black reported that “these promises remain unfulfilled.”
Under the Trump administration, budgetary constraints at CISA and the departure of respected experts have severely hampered the agency’s contributions to open-source security. Black noted that CISA’s advocacy previously encouraged tech companies to adhere to their commitments, enhancing community engagement.
Looking ahead, Cable expressed uncertainty regarding the federal government’s future involvement in open-source initiatives.
CISA “remains focused” on addressing open-source security challenges, according to Marci McCarthy, the agency’s director of public affairs. McCarthy stated, “Open-source software is a critical component of our software supply chain” for both governmental and U.S. infrastructure needs.
OpenAI’s Impact on Open-Source Security
On November 30, 2022, shortly after OpenSSF’s security initiative took off, OpenAI launched ChatGPT. The emergence of generative AI captivated public attention, prompting tech companies to hastily integrate this technology. Black noted, “Shortly thereafter, several major companies began redirecting their developers from open-source security efforts to AI projects.”
Over the ensuing years, as companies pivoted their focus toward AI, open-source security efforts suffered. Many Microsoft experts previously engaged in open-source security found themselves reassigned to AI-centric teams, even as they transitioned to CISA.
Legal and policy teams at Microsoft, who had been supporting open-source initiatives, also saw reallocations towards AI projects, contributing to a “dramatic shift” within Microsoft subsidiary GitHub.
Black asserted that both Microsoft and Google appear to be diverting resources away from open-source security efforts. While Microsoft did not contest this observation, it affirmed its commitment to remain engaged in the ecosystem. A Google representative claimed that significant resources continue to be dedicated to open-source security.
Some analysts contend that AI could enhance open-source security by expediting the identification and remediation of vulnerabilities. The Defense Advanced Research Projects Agency (DARPA) recently ran a prize competition, collaborating with OpenSSF, aimed at developing AI-enhanced vulnerability detection tools.
Conversely, not all experts share this optimism. Black highlighted a concerning perspective articulated by the developer of the widely utilized curl package, who has found it challenging to manage “AI-generated submissions that lack quality, requiring ongoing rejection of subpar patches.”
Outstanding Challenges
A multitude of critical open-source security concerns remain unresolved, as experts perceive varying levels of commitment toward addressing them.
A significant dilemma is that many software developers, including those working with the U.S. military, often lack transparency regarding the origins of the code they integrate. “Individuals frequently lack insight into what they are consuming,” Nalley remarked, an issue exacerbated by the sheer number of packages integrated within a single piece of software, averaging 180, as identified by Sonatype.
Alarmingly, nearly four years post the widely publicized Log4j vulnerability, the defective version still constitutes 13% of all package downloads.
OpenSSF’s Scorecard project is set to assist developers in addressing these “dependency” risks. Additionally, software bills of materials (SBOMs) may help clarify package dependencies, although Black cautioned that open-source complexity might undermine their effectiveness.
Another substantial challenge lies in recognizing and supporting critical but under-maintained projects. Some essential projects that fortify the internet rely solely on one or two volunteers. “Investment is essential in these areas,” Nalley asserted. The Harvard Business School has been actively studying this issue via periodic censuses.
The XZ Utils crisis underscored the need to mitigate trust gaps within projects and comprehensively understand the provenance of every line of code. Le Hors noted that OpenSSF’s Supply-chain Levels for Software Artifacts (SLSA) project aims to address this concern.
Tech firms rewriting packages using memory-safe programming languages encounter significant adoption hurdles. “Many of the rewrites encountered less than satisfactory adoption,” Nalley noted, highlighting challenges in persuading Linux distributions to adopt the complete overhaul of the vital sudo package due to excessive dependencies.
Further efforts to secure package repositories are also imperative. “Investment in foundational infrastructure is paramount,” Nalley contended.
Even amid stagnation in the U.S., other nations are taking proactive measures. New EU legislation will mandate businesses to ensure the security of open-source code they utilize, which is likely to have broad global implications.
“Significant progress has been achieved since the Log4Shell incident,” Le Hors asserted. “We are still making strides, especially since the U.S. does not monopolize the global landscape.”
Source link: Cybersecuritydive.com.
