Open Security: Steps in the right direction
Some time ago, the results of a C-level executives survey were published with very interesting results: “78% of surveyed companies run open source software”. The most interesting take away for me is that 22% of companies run open source software, but they don’t know about it.
Open source software (OSS) is widely adopted — and this is great! Anyone can contribute, anyone can use it, anyone can improve it, and anyone can have a big impact on the large community of OSS consumers. More importantly, anyone can security review it… but does that actually happen?
The industry is realizing we not only have a big dependency on OSS but we also have a big problem around its security. Open source is indeed great but what about the hidden security costs and risks that it comes with? Common questions I ask myself when reviewing Semmle’s exposure to OSS are “What are the security properties of this software?”, “How would the OSS maintainers react in case of an external vulnerability report?”, “What security practices were used in this project’s development?”, “Does the team use peer code review?”, “Where is this hosted and can it be backdoored?” and most importantly, “Who analyses this project’s security over time?”.
Every company's chief security officer has to answer these questions, and often answers are not easy to come by. We, as an industry, need to offer something back to the OSS projects we rely on, not only as a nice gesture, but as a matter of survival. And we should do openly, sharing our findings so we do not waste resources needlessly resecuring the same projects. This is what I call “open security”.
Open Security Project Examples
Fortunately, during the last years we have seen some very interesting efforts towards open security, which have raised the OSS security bar — though we still have a long way to go. I would enumerate four as examples of open security successful efforts:
OSS-Fuzz has a special place in my heart, since I was involved in this project back when I was a Googler. Any OSS project can quickly integrate Google’s massive scaling fuzzing cluster with just a pull request.
OSS-Fuzz continuously fuzzes more than 200 projects, as development happens. It drastically reduced the low hanging fruit and the time gap from development to vulnerability findings. Some time ago, it was announced that it has already found more than 9000 vulnerabilities in widely used OSS projects over the past two years.
Well done Google!
Recently, Github announced major security enhancements to alert OSS maintainers about vulnerabilities and risky dependencies. They also went far beyond and implemented some features as part of the platform to make maintainers life as easy as possible. A great example of this was the new “maintainer security advisories” which provides a consistent and secure channel to communicate security findings to the maintainers.
Large portions of OSS are hosted at GitHub so any improvements there will have a deep lasting impact.
Well done GitHub & Microsoft!
Internet Bug Bounty
The Internet Bug Bounty is a community effort around reviewing internet critical projects, finding security vulnerabilities and rewarding security researchers. This is what the IBB accomplished over the last few years with great results.
Through the IBB, more than 750 vulnerabilities were discovered and security researchers got rewarded on critical software such as Apache Web Server, OpenSSL, and more.
Well done IBB and sponsors!
Semmle’s LGTM.com for OSS is our very own high-quality code and variant analysis tool and is free for any open source project. LGTM is widely adopted for private code by big customers with mature application security programs.
Not only are the QL and LGTM projects freely available for OSS, but also the queries we use to find vulnerabilities are open source. The queries we all write as a community are improved and refined over time, and OSS benefits directly, now and in the future.
I’m very proud to be part of this!
These four amazing projects having a deep impact not only on OSS projects but on the consumers of such projects. Imagine what would happen if more sponsored efforts were part of “open security”.
Join us on this “open security” journey to make the open source software we all rely on more secure. Contact us at firstname.lastname@example.org for collaboration opportunities.