Earlier this year, Microsoft developers discovered that someone had inserted a backdoor into the code of XZ Utils, an open source utility used in virtually all Linux operating systems.
The operation began two years ago when a person nicknamed JiaT75 began contributing to the XZ Utils repository on GitHub. Cybersecurity experts called the attack a “nightmare scenario” and “the most successfully executed supply chain attack they have ever seen.”
This attack comes on the heels of other high-profile cybersecurity incidents involving open source software, including Heartbleed, Shellshock, and Log4j, which pose a significant security risk given its widespread use. I was once again made aware of the possibility of causing this.
Sequoia Capital Partner Bogomil Balkansky at TechCrunch Disrupt 2024. Aeva Black, director of open source security at the U.S. Cybersecurity and Infrastructure Security Agency. Luis Villa, co-founder of Tidelift, discussed the challenges of securing open source software.
“I like to say open source is not free like pizza. It's free like a puppy. If you don't take it home and feed it, it will eat your furniture and your shoes,” Black said. I did.
Balkansky calls open source software “the lifeblood of software,” making it “the foundation and built into everything.” The problem, Balkansky added, is that “the open source business model is still evolving.”
So who should manage it and pay to secure it?
Villa and his team at Tidelift propose a model where open source maintainers manage the code and partners fix vulnerabilities.
Black explained that CISA is currently involved and is launching an initiative to educate companies on what are the best and worst security practices when it comes to deploying open source software. “We're here to be part of the open source community and work with them,” said Black, who believes open source software is a public good.
Looking ahead, Balkansky said, “Solutions to open source security need to be open source, at least to some degree,” and cautioned that “there is no silver bullet.”
Villa said “multiple approaches” and “layered defense” are needed. This means multiple layers of security are needed to protect open source ecosystems.
And Black said software developers need to know what open source software is included in their products. “We need better engagement so that everyone can do it with less effort and less burden on individual volunteer maintainers and nonprofit organizations,” Black said.