5 July 2019

How open source software is being weaponised

Nicholas Fearn

In the technology world, open source software plays a powerful role. Released under a license that allows users to tweak and distribute applications for any purpose, it promotes open collaboration among technologists and offers a range of advantages.

For starters, adopting open source can provide access to high-quality software that doesn't cost a penny. And users are often surrounded by a community of like-minded users who can support and improve the application. However, there are also advantages when it comes to transparency, flexibility, interoperability and localisation.

Arguably, open source software holds a prized place in the technology ecosystem. But that's not to say there aren't risks, with hackers weaponising open source software libraries (OSSLs) through OSSL trust attacks that target the software supply chain. According to Sonatype, these threats increased by 55% last year.

In one notable example, EventStream - a JavaSciript library used by two million people globally - was infected by malicious code that steals bitcoins from wallets. This software was used by a plethora of Fortune 500 companies and startups. Just how dangerous are such attacks and how can they be mitigated?

A sophisticated threat

Attackers are constantly developing more sophisticated ways to compromise organisations, and it's fair to say OSSl trust attacks are one of them. Jing Xie, senior threat intelligence researcher at Venafi, says their defining characteristic is that the organisation that actually gets breached isn't the intended target.

No comments: