How to Ensure Open Source Packages Are Not Landmines

We Keep you Connected

How to Ensure Open Source Packages Are Not Landmines

News, news analysis, and commentary on the latest trends in cybersecurity technology.
CISA and OpenSSF jointly published new guidance recommending technical controls to make it harder for developers to bring malicious software components into code.
March 8, 2024
Open source repositories are critical to running and writing modern applications, but beware — carelessness could detonate mines and inject backdoors and vulnerabilities in software infrastructures. IT departments and project maintainers need to assess a project's security capabilities to ensure malicious code is not being incorporated into the application.
A new security framework from the Cybersecurity and Infrastructure Security Agency (CISA) and Open Source Security Foundation (OpenSSF) recommends enabling multifactor authentication for project maintainers, third-party security reporting capabilities, and warnings for outdated or insecure packages, among other controls, to help reduce exposure to malicious code and packages masquerading as open source code on public repositories.
"The open source community gathers around these watering holes in order to fetch these packages. They have to be — from an infrastructure perspective — secure," says Omkhar Arasaratnam, general manager of OpenSSF.
Those watering holes include GitHub, which hosts entire programs, programming tools, and APIs that connect software to online services. Other repositories include PyPI, which hosts Python packages; NPM, which is a JavaScript repository; and Maven Central, which is a Java repository. Code written in Python, Rust, and other programming languages download libraries from multiple package repositories.
Developers could unintentionally be tricked into pulling in malicious software that could be injected in package managers, which could give hackers access to systems. Programs written in languages like Python and Rust could include malicious software if developers link up to the wrong URL.
The guidelines laid out in CISA and OpenSSF's "Principles for Package Repository Security" build on security efforts already adopted by repositories. The Python Software Foundation last year adopted Sigstore, which ensures the integrity and provenance of the packages that are contained within its PyPI and other repositories.
The security across repositories isn’t abjectly bad, but it is inconsistent, Arasaratnam says.
"The first part is to gather some of the more popular … and significant ones within the community and start to establish a set of a set of controls that could be used universally across them," Arasaratnam says.
The new guidelines could prevent incidents such as namesquatting, where malicious packages are downloaded by developers who mistype the wrong file name or URL.
"You may accidently boot a malicious version of the package, or it could be a scenario where somebody has uploaded code that is malicious under the identity of the maintainer but only due to machine compromise," Arasaratnam says.
The security of packages on repositories dominated a panel session about open source security at the Open Source in Finance Forum (OSFF) in New York last November.
"It is like the old days of browsers when they were inherently vulnerable. People would go to a malicious website, get a backdoor dropped, and then go, 'Whoa, this isn't the site,'" said Brian Fox, co-founder and chief technology officer at Sonatype, during the panel discussion. "We're tracking well over 250,000 components that were intentionally malicious."
IT departments are coming to grips with the malicious code and packages masquerading as open source code, said Ann Barron-DiCamillo, managing director and global head of cyber operations at Citi, at the OSFF conference.
"Talking about malicious packages over the last year, we have seen a twofold increase over previous years," she said. "This is becoming a reality associated with our development community."
Agam Shah, Contributing Writer

Agam Shah has covered enterprise IT for more than a decade. Outside of machine learning, hardware, and chips, he's also interested in martial arts and Russia.
You May Also Like
Assessing Your Critical Applications’ Cyber Defenses
Unleash the Power of Gen AI for Application Development, Securely
The Anatomy of a Ransomware Attack, Revealed
How To Optimize and Accelerate Cybersecurity Initiatives for Your Business
Building a Modern Endpoint Strategy for 2024 and Beyond
Cybersecurity’s Hottest New Technologies – Dark Reading March 21 Event
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
How to Ensure Open Source Packages Are Not Landmines
The Challenges of AI Security Begin With Defining It
Cloud Apps Make the Case for Pen-Testing-as-a-Service
Apple Beefs Up iMessage With Quantum-Resistant Encryption
Copyright © 2024 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.