When you think of large open source projects, you certainly think of Linux, Apache web server, LibreOffice, etc. And it’s true, these projects are vital. But below them are the essential software libraries that allow hundreds of thousands of other programs to work.
They are much less known. That’s why the Harvard Laboratory for Innovation Science (LISH) and the Linux Foundation’s Open Source Security Foundation (OpenSSF) recently conducted an exhaustive survey, Census II of Free and Open Source Software – Application Libraries, of these critical programs. hidden.
This is the second study of this type. The first, titled “Kernel Vulnerabilities, Preliminary Report and Inventory II of Free Software, focused on low-level critical operating system libraries and utilities. This new report brings together data from over half a -million observations of free and open-source software (FOSS) libraries used in production applications in thousands of companies.
The Log4Shell example
The data in this report comes from software composition analysis (SCA) of codebases from thousands of companies. This data was provided by Snyk, the Synopsys Cybersecurity Research Center (CyRC) and FOSSA.
The goal, besides just wanting to know what the most popular open source application libraries, packages, and components are, is to help secure those projects. Until you know it’s important, you can’t know what to secure first.
For example, the previously relatively unknown log4j logging packet became a major security issue when the zero-day Log4Shell flaw was exposed. Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA) at the U.S. Department of Homeland Security (DHS), called it “the most severe vulnerability I’ve seen in my decades. careers”. This bug affected tens or hundreds of millions of devices and programs.
Kevin Wang, founder and managing director of FOSSA, observes that the ubiquitous nature of free software means that serious vulnerabilities, such as Log4Shell, can have a devastating impact. Building a comprehensive defense against supply chain threats starts with establishing strong software visibility.” It is only by understanding our “free software dependencies that we can improve transparency and trust in the software supply chain.”
Mike Dolan, Senior Vice President of Projects at the Linux Foundation, added, “Understanding which FOSS packages are most critical to society allows us to proactively support projects that deserve operational and security support. Free software is the foundation upon which our daily lives operate, from our banking institutions to our schools and workplaces.”
This census breaks down the 500 most used free software packages into eight different domains. These are different slices of data, including versioned/version agnostic, npm/non-npm package manager, and direct/indirect and indirect package calls. For example, the 10 most npm version-agnostic JavaScript packages that are called directly are:
- lodash
- react
- axios
- debug
- @babel/core
- express
- sow
- uid
- react-dom
- jquery
These libraries, along with other major libraries, should be closely monitored for any security issues.
In addition to their simple enumeration, the authors of the survey, from Harvard University, made five general findings:
1) It is necessary to establish a standardized naming scheme for software components. As it stands, the names aren’t random, but there isn’t much rhyme or reason to it either.
2) We need to simplify the complexity of package versions. Can you tell at a glance what version a package is? You can if you’re working on this program, but if you’re just using it as a brick in your higher-level software, it might be a mystery.
3) Most popular free software is developed by only a handful of contributors. Everyone knows the XKCD caricature of a giant software stack that depends on a single developer in Nebraska. What’s sad and funny about all of this is that it’s not a joke. We always depend on code that depends on a single programmer.
4) It is becoming essential to improve the security of individual developer accounts. With hacker attacks on developers becoming more frequent, we need to protect their accounts like the crown jewels of development that they are.
5) Legacy software in the open-source space should be cleaned up. Usually we think of legacy software in terms of that person we all know who is still using Windows XP. But old and wonky code also lives in free software repositories.
That said, while this survey is useful, the job is far from done. More important and continuous work must be done. All participants in this report plan to work on another study. It is only a precursor to more comprehensive studies to come to better understand these critical pillars of our information infrastructure.
Source: “ZDNet.com”