Open Security: The path to securing Open Source Software

June 04, 2019

Technical Difficulty

Reading time

Open Security: Steps in the right direction

Some time ago, the results of a C-level executives survey were published with very interesting results: “78% of surveyed companies run open source software”. The most interesting take away for me is that 22% of companies run open source software, but they don’t know about it.

Open source software (OSS) is widely adopted — and this is great! Anyone can contribute, anyone can use it, anyone can improve it, and anyone can have a big impact on the large community of OSS consumers. More importantly, anyone can security review it… but does that actually happen?

The industry is realizing we not only have a big dependency on OSS but we also have a big problem around its security. Open source is indeed great but what about the hidden security costs and risks that it comes with? Common questions I ask myself when reviewing Semmle’s exposure to OSS are “What are the security properties of this software?”, “How would the OSS maintainers react in case of an external vulnerability report?”, “What security practices were used in this project’s development?”, “Does the team use peer code review?”, “Where is this hosted and can it be backdoored?” and most importantly, “Who analyses this project’s security over time?”.

Every company's chief security officer has to answer these questions, and often answers are not easy to come by. We, as an industry, need to offer something back to the OSS projects we rely on, not only as a nice gesture, but as a matter of survival. And we should do openly, sharing our findings so we do not waste resources needlessly resecuring the same projects. This is what I call “open security”.

Open Security Project Examples

Fortunately, during the last years we have seen some very interesting efforts towards open security, which have raised the OSS security bar — though we still have a long way to go. I would enumerate four as examples of open security successful efforts:

OSS-Fuzz

OSS-Fuzz has a special place in my heart, since I was involved in this project back when I was a Googler. Any OSS project can quickly integrate Google’s massive scaling fuzzing cluster with just a pull request.

OSS-Fuzz continuously fuzzes more than 200 projects, as development happens. It drastically reduced the low hanging fruit and the time gap from development to vulnerability findings. Some time ago, it was announced that it has already found more than 9000 vulnerabilities in widely used OSS projects over the past two years.

oss fuzz

Well done Google!

Github

Recently, Github announced major security enhancements to alert OSS maintainers about vulnerabilities and risky dependencies. They also went far beyond and implemented some features as part of the platform to make maintainers life as easy as possible. A great example of this was the new “maintainer security advisories” which provides a consistent and secure channel to communicate security findings to the maintainers.

Large portions of OSS are hosted at GitHub so any improvements there will have a deep lasting impact.

Well done GitHub & Microsoft!

Internet Bug Bounty

The Internet Bug Bounty is a community effort around reviewing internet critical projects, finding security vulnerabilities and rewarding security researchers. This is what the IBB accomplished over the last few years with great results.

Through the IBB, more than 750 vulnerabilities were discovered and security researchers got rewarded on critical software such as Apache Web Server, OpenSSL, and more.

Well done IBB and sponsors!

LGTM.com

Semmle’s LGTM.com for OSS is our very own high-quality code and variant analysis tool and is free for any open source project. LGTM is widely adopted for private code by big customers with mature application security programs.

checks screenshot

Not only are the QL and LGTM projects freely available for OSS, but also the queries we use to find vulnerabilities are open source. The queries we all write as a community are improved and refined over time, and OSS benefits directly, now and in the future.

I’m very proud to be part of this!

These four amazing projects having a deep impact not only on OSS projects but on the consumers of such projects. Imagine what would happen if more sponsored efforts were part of “open security”.

Join us on this “open security” journey to make the open source software we all rely on more secure. Contact us at infosec@semmle.com for collaboration opportunities.

Join us in securing the software that runs the world!

Enter your email address below to stay up-to-date with Semmle news, security announcements and product updates.

Loading...