2018 Has Been Open Season on Open Source Supply Chains

As the number of open source components used in software supply chains shoot up, hackers are going along for the ride. Increasingly threat actors are planting bad code in open-source repositories in the hopes to harvest the flaws later when used in larger banking, manufacturing and healthcare DevOp projects.

“The wake-up call was the Equifax breach and the Struts vulnerability,” said Derek Weeks, vice president and DevOps advocate at Sonatype. In late 2017, an open source component lead to one of the most costly breaches in corporate history. “For months after the massive Equifax breach the vulnerable Struts component continued to be downloaded 72,000 times,” Weeks said.

The numbers and analysis come from Sonatype’s 2018 State of the Software Supply Chain Report, released on Tuesday. The report revealed, of the more than 300 billion open source components downloaded in the past year, one in eight have known security vulnerabilities.

Weeks said a pressure-cooker environment to accelerate software innovation is pushing companies to prioritize speed over security. In its report, Sonatype found open source vulnerabilities increased 120 percent year over year. The mean time for hackers to exploit those vulnerabilities has been compressed, going from an average of 45 days to just three. “Suspected or known open source breaches increased 55 percent year over year,” the report stated (registration required).

The 37-page report analyzes the past 12 months of patterns and practices associated with open source software development. The yearly report looks at software supply chain management and the software tools and modules used in executing supply chain transactions, managing supplier relationships and those tied to controlling related business processes.

“Open source software is absolutely needed and vital to developers,” Weeks said. “But currently there are no guidelines or rules for preventing developers from building software with known vulnerabilities.” Compounding the problem is the fact that public vulnerability databases lack information on more than 1.3 million open source security advisories, the report states.

He said unlike regulations that prevent carmakers from installing faulty Takata airbags into motor vehicles, there are no such restrictions on bad software. The problem is twofold, he said. One, there are few turnkey solutions to alert DevOp teams from identifying bad code. The second is a dearth of enforcement in the private sector.

One bright spot in this year’s report is data that suggests managing software supply chains through automated open-source software governance reduces the occurrence of vulnerabilities by 50 percent. “DevOps teams are 90 percent more likely to comply with open source governance when policies are automated,” the report states.

Weeks said a number of high profile incidents tied to flaws buried inside software supply chains is raising hackles within regulatory circles here in the U.S. and abroad. In June 2017, Representative Anna Eschoo (D-CA) and Susan Brooks (R-IN) introduced the Promoting Good Cyber Hygiene Act. In August 2017, Senators Mark R. Warner (D-VA) and Cory Gardner (R-CO), co-chairs of the Senate Cybersecurity Caucus, along with Sens. Ron Wyden (DOR) and Steve Daines (R-MT) introduced bipartisan legislation called the Internet of Things Cybersecurity Improvement Act of 2017.

“While legislation from the Senators was clearly aimed at consumer protections and privacy, it also focuses on quality, safety, and regulatory standards applied to every other major manufacturing industry (i.e., do not ship products with known defects).”

Sonatype points out when it comes to software supply chains and cybersecurity hygiene, the industry has done little to regulate itself. “The incentives simply don’t exist for self-governance in the face of pressures to innovate and maintain competitive differentiators,” the report states.

The report promotes managed software supply chains, which Sonatype claims are two-times more efficient and two-times more secure. “Supply, and demand for, open source shows no sign of slowing down,” the report states. “More than 15,000 new or updated open source releases are made available to developers every day. The average enterprise downloaded 170,000 Java components in 2017, up 36 percent year over year.”