DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
  1. DZone
  2. Popular
  3. Open Source
  4. Developers Need to Pay Attention: Attacks On Open Source Are Going to Get Worse [Video]

Developers Need to Pay Attention: Attacks On Open Source Are Going to Get Worse [Video]

It's always an uphill battle fighting for the security of your open source software.

Derek Weeks user avatar by
Derek Weeks
·
Apr. 25, 19 · Presentation
Like (3)
Save
Tweet
Share
3.94K Views

Join the DZone community and get the full member experience.

Join For Free

As vital as we know open source is to building software in today’s world, it’s a mistake to think of it as a silver bullet. The ability to expedite software development is clear — but so is the significant room for error, when not properly managed.

Two years ago, Sonatype's CTO, Brian Fox, started chronicling a disturbing turn of events that showed that a shifting landscape of attacks based on OSS consumption was emerging. Since then, he's seen a consistent increase in malicious open source and supply chain attacks that make one thing clear — it’s only going to get worse. Most recently it was the Bootstrap-sass hack and before that, the event-stream attack.

At a NADOG event earlier this month, Brian shared even more research on these attacks and how the open source industry needs to change given today’s new normal. A video of his presentation is below — I definitely recommend a listen.


A little background on how we got here: five years ago, large and small enterprises alike witnessed the first prominent Apache Struts vulnerability. In this case, Apache responsibly and publicly disclosed the vulnerability at the same time they offered a new version to fix the vulnerability. Despite Apache doing their best to alert the public and prevent attacks from happening, many organizations were either not listening, or did not act in a timely fashion— and, therefore, exploits in the wild were widespread. Simply stated, hackers profit handsomely when companies are asleep at the wheel and fail to react in a timely fashion to public vulnerability disclosures.

Since that initial Struts vulnerability in 2013, the community has witnessed Shellshock, Heartbleed, Commons Collection and others, including the 2017 attack on Equifax — all of which followed the same pattern of widespread exploit post-disclosure.

Shift forward to today and hackers are now creating their own opportunities to attack.

This new form of attack on our software supply chains, where OSS project credentials are compromised and malicious code is intentionally injected into open source libraries, allows hackers to poison the well. The vulnerable code is then downloaded repeatedly by millions of software developers who unwittingly pollute their applications to the direct benefit of bad actors.

It’s become clear that we are in the middle of a systematic attack on the social trust and infrastructure used to distribute open source. In just a few years, we’ve gone from attacks on pre-existing vulnerabilities occurring months after a disclosure down to two days — and now, we are at the point where attackers are directly hijacking publisher credentials and distributing malicious components.

This troubling trends makes it even more vital for enterprises to understand what open source components they’re using and where, and increasingly important for open source developers to pay attention to their own security.

Open source Software development

Published at DZone with permission of Derek Weeks, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • DevOps Roadmap for 2022
  • Three SQL Keywords in QuestDB for Finding Missing Data
  • The 31 Flavors of Data Lineage and Why Vanilla Doesn’t Cut It
  • Best Practices for Writing Clean and Maintainable Code

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: