Open source repositories are critical to running and writing modern applications, but be careful: carelessness could detonate landmines and inject backdoors and vulnerabilities into software infrastructures. IT departments and project maintainers must evaluate a project’s security capabilities to ensure that malicious code is not embedded in the application.
A new security framework from the Cybersecurity and Infrastructure Security Agency (CISA) and the Open Source Security Foundation (OpenSSF) recommends enabling multi-factor authentication for project maintainers, third-party security reporting capabilities, and package alerts obsolete or insecure, among other controls, to help reduce exposure to malicious code and packages masquerading as open source code on public repositories.
“The open source community gathers around these watering holes to fetch these packages. They have to be, from an infrastructure perspective, secure,” says Omkhar Arasaratnam, general manager of OpenSSF.
Where can you find the wrong code
These collection points include GitHub, which hosts entire programs, programming tools, and APIs that connect software to online services. Other repositories include PyPI, which hosts Python packages; NPM, which is a JavaScript repository; and Maven Central, which is a Java repository. Code written in Python, Rust, and other programming languages downloads libraries from multiple package repositories.
Developers could be unintentionally tricked into placing malicious software that could be inserted into package managers, which could allow hackers to gain access to systems. Programs written in languages such as Python and Rust could include malicious software if developers link to the wrong URL.
The guidelines set forth in CISA and OpenSSF’s “Principles for Package Repository Security” build on the security efforts already adopted by repositories. The Python Software Foundation last year has adopted Sigstorewhich guarantees the integrity and provenance of packages contained in its PyPI and other repositories.
Security between repositories isn’t terrible, but it’s inconsistent, Arasaratnam says.
“The first part is to bring together some of the most popular… and significant ones within the community and start to establish a set of controls that could be used universally among them,” Arasaratnam says.
The new guidelines could prevent incidents such as namequatting, in which malicious packages are downloaded by developers who mistype the file name or the wrong URL.
“You could accidentally launch a malicious version of the package, or it could be a scenario where someone uploaded malicious code under the maintainer’s identity but only because the machine was compromised,” Arasaratnam says.
More difficult to recognize malicious packets
Package security on repositories dominated a panel session on open source security at the Open Source in Finance Forum (OSFF) in New York last November.
“It’s like the old days of browsers, when they were inherently vulnerable. People would go to a malicious website, see a backdoor drop, and then say, ‘Whoa, this isn’t the right site,'” said Brian Fox, co- founder and chief technology officer of Sonatype, during the round table. “We are tracking over 250,000 intentionally malicious components.”
IT departments are dealing with malicious code and packages masquerading as open source code, Ann Barron-DiCamillo, Citi’s managing director and global head of IT operations, said at the OSFF conference.
“Speaking of malicious packets, in the last year we have seen a double increase compared to previous years,” he said. “This is becoming a reality associated with our development community.”