Using open-source software in our products reduces development time and allows us to leverage the expertise of others.
However, recently there have been concerns about software supply chain and supply chain attacks. What does this mean?
Say you’re using a library – npm, Go or python package for example – that comes from a trusted repository source into your software chain. If you have an automated build, you might pull the latest changes automatically. This could compromise your security, for example, as with the Log4j vulnerability coming to the attention of the world earlier this year.
The nature of that attack was through a long-standing vulnerability. So in that case, developers used the package in good faith at some point in the past, and then the vulnerability only came to light years later.
Therefore should we abandon our obsession with open-source? From a recent report in the Register:
“About 40 percent of industry professionals say their organizations have reduced their usage of open source software due to concerns about security,”
register.co.uk
The report, however, goes on to say that:
“Other reasons for not using open source software include: lack of understanding (38 percent); lack of confidence in organizational IT governance (29 percent); “open-source software is deemed insecure, so it’s not allowed” (28 percent); and not wanting to disrupt current projects (26 percent)”
I accept the risk
I certainly recognise these patterns in industry. Some businesses move too slowly to reduce barriers to entry of open source or put draconian rules in place. Some are happy for developers to use any package they find. A compromise is to use local copies of internet repositories which are then security scanned. The big players such as Github and Artifactory have been quick to put more effort into security scanning to keep developers aware of potential vulnerabilities in code. Yet these warnings must be acted upon.
Like anything in software development, you can choose the convenient or seemingly easier path, but it comes at a cost. When building CI/CD toolchains and pipelines, it’s important to make sure that you know where you’re getting your code from.
If not now, then possibly in the future your customers may demand it.