BLACK HAT USA 2021, Las Vegas — When security researchers and the open source community disclosed the Heartbleed vulnerability in OpenSSL in April 2014, the project — which underpins much of the secure communications for the Web — only had two full-time developers. The lack of resources for such a critical open source project highlights the issues open source projects and components continue to have: a lack of funding, slow patching, and — increasingly — a great deal of interest from attackers.
Speaking at the Black Hat USA briefings in Las Vegas, two open source security advocates called for more coordinated funding of open source projects, especially critical ones, and a greater scale of collaboration between security researchers and developers. The security of open source software is foundational to every part of the technological ecosystem, said Jennifer Fernick, the NCC Group's global head of research in North America, during the talk "Securing Open Source Software."
"Ultimately, open source security keeps getting worse," Fernick said. "On average, it is taking years to detect the typical vulnerability in open source software, [but] exploitation of vulnerabilities in the wild is happening faster than ever before [and] developers are not getting better at writing secure code."
During the talk, Fernick and her co-speaker, Christopher Robinson, Intel's director of security communications, said companies need to give back more extensively to the open source community. If developers use open source software, they said, they need to give back to the open source community.
The two security experts, both leaders in the Open Source Security Foundation (OpenSSF), highlighted the current broken economics of open source software, where many companies rely on its security but very few are putting employee hours toward that goal. Security researchers and developers are not incentivized to write patches for vulnerabilities, while attackers' top priority is to exploit those vulnerabilities. No wonder attackers are winning, Fernick said.
The economics have to change, she said.
"A lot of times we give into the tragedy of the commons, where we have thought that someone has looked at the code, that they have analyzed the code, but in practice this very well may not be the case," Fernick said. "There are entirely different economic incentives for open source developers and maintainers, compared to enterprise developers and maintainers, compared to the attackers — both security researchers and threat actors."
The issues will only get worse. Research into automation and machine-learning techniques are resulting in more scalable bug-finding tools, which will lead to more vulnerability disclosures. These automated and AI-driven vulnerability scanning tools — so-called "dual-use technologies" because they can be used by both defenders and attackers — will lead to significant unpatched security issues if the economics of patching and defense do not change. Currently, 84% of codebases have at least one security vulnerability, according to Synopsis.
For that reason, the problem is how to reduce vulnerabilities at scale, Intel's Robinson said.
"We need to find ways to eliminate whole classes of bugs," he said. "Doing individual-vulnerability whack-a-mole — closing onesy, twosies — does not work."
While the Open SSF has focused on the most critical projects and increasing scrutiny and analysis of those projects, an overall large collaborative effort is needed to instill best practices in developers, coordinate vulnerability disclosure to reduce the end risk for consumers, and give developers informed choices through a software bill of materials when selecting open source software components.
Currently, there are a lot of weaknesses at various points in the secure software development life cycle even when easy wins for security could have happened. Contributing back to the security efforts for open source projects is crucial, NCC Group's Fernick says.
"We have all of these different competing factors that are bringing together this challenge in securing open source, and despite all of this we have these incredibly high-value targets that are foundational to many of these technologies that power our world and the Internet itself," she said. "We may ask, will the security of open source software get better or get worse? And without serious and coordinated intervention, I think it will get worse."
In addition to identifying the most critical open source software, security experts and developers should work to prevent inherited security debt, coordinate funding for the most important and used software projects, and find ways to speed patching.
"Ultimately, our goal in this talk is to do outreach, because for many security researchers, it is hard to know how to make an impact," Fernick said.