Organizations are becoming increasingly dependent on open source libraries (OSLs) to develop code for software and websites. However, Jing Xie, senior threat intelligence researcher for Venafi, warns that the growing reliance on OSLs for software development leaves many companies vulnerable to trust-based attacks.
Cybercriminals use trust attacks to maliciously manipulate and insert code into open source libraries, taking advantage of organizations’ dependence on them. Unsuspecting developers and site managers actively introduce malware into their own software and websites when they use a compromised OSL.
When the infected code is distributed by a legitimate developer, the resulting malicious software will be automatically trusted by its users’ computers, infecting their computers and networks.
Since trust-based attacks can infect millions of computers very quickly, it is critical that organizations increase their awareness about the risks associated with OSL security. According to Xie, there are four ways OSLs create risks for organizations:
- Undetectable malware: The implicit trust afforded to OSLs – which are often not moderated – means site managers and developers pick up infected libraries and use them, without realizing malware has been added.
- Infected supply chains: The prolific use of OSLs across enterprises means that if one piece of code is infected, a ripple effect can carry the infected code across multiple businesses. Once an infected library is in use, it’s likely the entire software development supply chain will be impacted by the attack.
- Legitimate-looking code: In addition to inserting malicious code into genuine OSLs, threat actors often create and run their own rogue OSLs. Given the large number of OSLs organizations use daily, it can be difficult to distinguish those that are rogue from their legitimate counterparts, and developers can be duped into using them.
- Massive data leaks: Cybercriminals can leverage malware inserted into an OSL after it has been incorporated into applications and websites to create backdoors. Since the backdoors have been created by trusted OSLs they are nearly undetectable, allowing attackers to steal data, spy on users and disguise a wide range of illicit activity.
“This is a very real problem, and recent research from Sonatype revealed a 55 percent increase in breaches resulting from OSL trust attacks in 2018,” said Xie. “It’s unrealistic, though, to ask businesses to completely change their practices by limiting the use of OSLs. Instead, the industry needs to work together to make open source code more dependable.”
Venafi recommends that developers and consumers utilize code-signing certificates to help determine which OSLs can be trusted – this is a practical approach to validating the authenticity of an OSL. “In addition, we encourage organizations to track internal OSL code, recording library releases and any problems,” Xie concluded. “These steps make it possible for OSL users to quickly identify issues, simplifying the remediation process and helping the OSL community build consensus on which OSLs are most trustworthy.”