Recently, Synopsys published their 8th annual report on the security and risk analysis of open-source software. The truth is that open-source is everywhere: in fact it’s thought that about 96% of codebases contain open-source, embedded into the technology supply chain, fuelling development of new products, or hard-wired into existing products, and in almost every industry. It’s important to be aware of vulnerabilities.
Open-source software is typically any software that’s released under a license by a copyright holder, granting users permission to adapt, modify, implement, and deploy the source code. It’s collaborative, enabling developers to build solutions quickly, harnessing the incredible power of a community of people solving similar problems.
This approach to collaboration has always been at the heart of PQShield’s DNA. Our research has been used across the world to develop post-quantum solutions that are quantum-resilient, and already, applications such as Signal now contain PQShield’s IP.
We believe in protecting and defending the supply-chain, particularly from the threat of a quantum attack, either now with a view to harvesting data, or in the future, when current cryptographic techniques become obsolete. That’s why this latest focus on the potential vulnerabilities of open-source software is so important. We want to make sure organizations, companies, industries, and nations are protected.
What did Synopsys discover?
The report is based on scans of over 1,700 codebases in 17 different industries, and it does present some concerning trends. For example, Synopsis report that 91% of codebases contained components that had had no new development in the previous two years, and that 89% contained open source software more than four years out-of-date.
What’s more, 84% of codebases contained at least one known open-source vulnerability, and 46% contained high-risk vulnerabilities – defined as either actively exploited or classified as remote code execution vulnerabilities. The chances are that your industry, your components, your software and your products are already at risk due to open source vulnerabilities. In fact, Gartner estimates that more than 45% of organizations worldwide will experience attacks on their software supply chains by the year 2025, and open source is likely to be a weak-point of entry for potential attackers.
As Synopsys point out, the use of open source software is essentially not itself the problem. After all, the world runs on the collaborative nature of software development, and there’s no doubt that it influences the technology supply chain. Open source is powerful and important. But there might be considerations that help mitigate against some of these vulnerabilities.
Maintenance
Open source projects can be the product of any number of contributors and maintainers. However, if 91% of those projects feature no new features or upgrades, then the chances are that they haven’t been maintained. Whether it’s a popular tool such as Linux or Kubernetes, or a smaller solution, it’s vital to ensure that all open source is supported by a robust community, so that the software we rely on is routinely upgraded. As users of open source, the onus is on all of us to take responsibility for its security and stability. It’s also worth noting that commercial IP vendors, as opposed to open source, provide security patches as part of service level agreements, and could be considered a much safer choice.
Trust but Verify
Unfortunately, we can’t trust implicitly that all the components in the supply chain are impervious to vulnerability, especially with the collaborative nature of open-source software. That’s why Synopsys, among many others, have pushed for the idea of ‘Trust but verify’ – in other words, considering the risk to your business through a potential attack on the weakest points. They specifically recommend an SBOM (a Software Bill of Materials) to inventorize all the items and components in a product. A comprehensive SBOM should track all open source components, as well as the licenses, versions and patch-status of each of those components.
Attacks on the supply chain are very real, and with the advancement of new technologies such as a quantum attack, the threat level will only increase over the next few years. In fact, even now, industries are being advised to monitor their supply chain for potential areas of legacy cryptography, in order to modernize systems for a post-quantum world.
While it might be impossible to predict an avenue of attack, it’s important to be aware of threats to the supply chain, and to do our best to defend against them.