This year presented even more challenges for ensuring the integrity and security of open-source ecosystems. Open source has been the greatest boon to developers in that virtually anyone can use and customize it, typically at no cost, and contribute to the community. What has been a means of ensuring greater transparency, security and promoting developer collaboration across projects has also paved ways for adversaries to profit off the cause.
As a security researcher, I came across and analysed incidents this year where over 700 typo-squatting RubyGems packages served no purpose other than mining bitcoins. Then there’s the popular case of Octopus Scanner, malware that had silently injected its tentacles into at least 26 GitHub projects. These incidents underscore the fact that any open system that is accessible to the public is also accessible to adversaries and prone to abuse.
The examples above focus on malicious components. What about legitimate open-source packages with security vulnerabilities that go unnoticed?
A vulnerable or malicious package that makes its way into popular repositories, and eventually into your software supply chain, can wreak havoc for your customers. Vulnerable and malicious components have been detected in popular open-source repositories such as npm, PyPI, NuGet and Fedora.
“In past years, we have seen that in terms of total vulnerabilities identified in open-source packages across the ecosystems, Node.js and Java have traditionally shown the greatest number of new vulnerabilities each year,” said the authors of Snyk’s State of Open Source Security Report 2020.