Open-source code: The next major wave of cyberattacks

Open-source software is ubiquitous. It has become an unequaled driver of technological innovation because organizations that use it don’t have to reinvent the wheel for common software components.

However, the ubiquity of open-source software also presents a significant security risk, as it opens the door for vulnerabilities to be introduced (intentionally or inadvertently) to the consumers of open-source software products. The recent race to address major vulnerabilities in the widely used Log4j code library is the biggest sign yet that risks within the open source software environment must be addressed.

The Open Source Appeal for Cybercriminals
The open-source attack method is appealing to bad actors because it can be widespread and highly effective. Attackers can use various methods to obfuscate malicious changes contributed to open-source projects, and the rigor in reviewing code for security implications can vary widely across projects. Without stringent controls in place to detect these malicious changes, they may go unnoticed until after they’ve been distributed and included in software across numerous companies.

Attacks on open-source code can vary in size and the entities they affect. For example, last July, researchers found nine vulnerabilities affecting three-open source projects — EspoCRM, Pimcore, and Akaunting — which are frequently leveraged by small and midsize businesses. What’s more, the 2017 Equifax data breach, which affected the personal data of 147 million people as a result of a vulnerability in the organization’s open-source code, is a clear example of how vulnerabilities can be exploited by bad actors and create damaging effects throughout.

Never Going to Give You Up
CISA has said that hundreds of millions of devices were likely affected by the Log4j vulnerability. Given the magnitude of this incident, many enterprises are likely analyzing whether to leverage open-source code for future developments.

However, forgoing open source altogether isn’t realistic. All modern software is built from open-source components, and rebuilding those components without open source would require massive investments in time and money to produce even minor applications. Over 60% of websites worldwide run on Apache and Nginx servers, and 90% of IT leaders reportedly use enterprise open-source code regularly.

To read the complete article, visit Dark Reading.