{"id":4708,"date":"2022-03-17T04:49:53","date_gmt":"2022-03-17T11:49:53","guid":{"rendered":"https:\/\/coderpad.io\/?p=4708"},"modified":"2023-06-05T14:35:32","modified_gmt":"2023-06-05T21:35:32","slug":"open-source-software-dependency-security","status":"publish","type":"post","link":"https:\/\/coderpad.io\/blog\/development\/open-source-software-dependency-security\/","title":{"rendered":"Open Source Security: How Safe are Your Dependencies?"},"content":{"rendered":"\n<p>Is the next <a href=\"https:\/\/securityboulevard.com\/2022\/03\/log4j-forced-a-cybersecurity-wake-up-call\/\" target=\"_blank\" rel=\"noopener\">Log4J<\/a> or <a href=\"https:\/\/www.cisa.gov\/uscert\/ncas\/alerts\/TA14-098A\" target=\"_blank\" rel=\"noopener\">OpenSSL<\/a> disaster lurking in one of your open source dependencies?<\/p>\n\n\n<p>If you happened to miss out on those particular catastrophes, here\u2019s a quick recap:<\/p>\n\n\n<p>Log4J is a popular logging library used in many enterprise applications to populate server logs. The <a href=\"https:\/\/theconversation.com\/what-is-log4j-a-cybersecurity-expert-explains-the-latest-internet-vulnerability-how-bad-it-is-and-whats-at-stake-173896\" target=\"_blank\" rel=\"noopener\">Log4Shell vulnerability<\/a> that was recently discovered in the Log4J library \u201c<em>allows third-party servers to submit software code that can perform all kinds of actions on the targeted computer. This opens the door for nefarious activities such as stealing sensitive information, taking control of the targeted system, and slipping malicious content to other users communicating with the affected server<\/em>.\u201d Patches were quickly released to fix it, but not before <a href=\"https:\/\/www.zdnet.com\/article\/log4j-flaw-attackers-are-making-thousands-of-attempts-to-exploit-this-severe-vulnerability\/\" target=\"_blank\" rel=\"noopener\">malicious hackers conducted thousands of attempts to exploit it<\/a>.<\/p>\n\n\n\n<p>OpenSSL is a library commonly used to enable secure end-to-end TLS and SSL connections across the internet. <a href=\"https:\/\/heartbleed.com\/\" target=\"_blank\" rel=\"noopener\">The Heartbleed bug<\/a> was another recent vulnerability that \u201c<em>allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software<\/em>.\u201d This compromises the secret keys used in the identification and encryption process so that hackers who exploit this bug can obtain access to sensitive information that would typically be protected by the SSL\/TLS encryption.<\/p>\n\n\n\n<p>Unfortunately, those are probably not going to be isolated incidences. We\u2019ve spoken with a few open-source maintainers and, combined with the <a href=\"https:\/\/linuxfoundation.org\/wp-content\/uploads\/LFResearch_Harvard_Census_II.pdf\" target=\"_blank\" rel=\"noopener\">Census II of Free and Open Source Software \u2013 Applications Libraries<\/a> report by the Linux Foundation\u2019s Open Source Security Foundation (OpenSSF) and Harvard Business School, the picture is clear: Your dependencies may not be as safe as you might assume.<\/p>\n\n\n<p>Let\u2019s take a look at why that is, what\u2019s been done in the past to mitigate these problems systemically, and what you should be doing to protect your projects.<\/p>\n\n<aside class=\"\n    cta-banner\n     cta-banner--bg-blue      cta-banner--has-media \"\ndata-block-name=\"cta-banner\">\n    <div class=\"inner\">\n        <div class=\"content\">\n                            <h2 class=\"headline\">Learn how to run front-end developer interviews that don&#8217;t suck<\/h2>\n            \n                            <div class=\"cta-buttons\">\n                                    <a href=\"https:\/\/coderpad.io\/blog\/interviewing\/5-tips-for-interviewing-frontend\/\" class=\"button  js-cta--read-our-guide\" data-ga-category=\"CTA\" data-ga-label=\"Learn how to run front-end developer interviews that don&#039;t suck|Read our guide\">Read our guide<\/a>\n                                <\/div>\n                    <\/div>\n                    <div class=\"media\">\n                <img loading=\"lazy\" decoding=\"async\" width=\"432\" height=\"342\" src=\"https:\/\/coderpad.io\/wp-content\/uploads\/2022\/08\/Illustration-of-man-with-beard-popping-out-of-computer-chat.png\" class=\"attachment-large size-large\" alt=\"\" srcset=\"https:\/\/coderpad.io\/wp-content\/uploads\/2022\/08\/Illustration-of-man-with-beard-popping-out-of-computer-chat.png 432w, https:\/\/coderpad.io\/wp-content\/uploads\/2022\/08\/Illustration-of-man-with-beard-popping-out-of-computer-chat-300x238.png 300w\" sizes=\"auto, (max-width: 432px) 100vw, 432px\" \/>\n            <\/div>\n            <\/div>\n<\/aside>\n\n\n<h2 class=\"wp-block-heading\">The benefits and risks of FOSS<\/h2>\n\n<p>While we all know the most significant advantage of Free and Open Source Software (FOSS) is its distributed development approach, it also happens to be one of its most significant disadvantages. It\u2019s great to have an army of volunteers and enthusiasts producing great libraries, but no centralized authority is responsible for ensuring that bugs are found and fixed.<\/p>\n\n<p>Because of this lack of centralization, it can be challenging to figure out what projects need the most help and where the problems even lie. After all, because individual contributors maintain most FOSS projects, it may not be apparent if a given project is actively updated.<\/p>\n\n<p>In the words of the Census II report, \u201cTherefore, to ensure the future health and security of the FOSS ecosystem, it is critical to understand what FOSS is being used, and how well it is supported and maintained.\u201d<\/p>\n\n\n<p>Similarly, CoderPad Developer Advocate <a href=\"http:\/\/github.com\/crutchcorn\/\" target=\"_blank\" rel=\"noopener\">Corbin Crutchley<\/a> \u2013 who himself is an active developer for FOSS projects like <a href=\"http:\/\/github.com\/plopjs\/plop\" target=\"_blank\" rel=\"noopener\">PlopJS<\/a> \u2013 says:<\/p>\n\n\n<blockquote class=\"wp-block-quote\"><p><em>\u201cIt can be a mess to see if a project is well maintained or not. I know of some major projects with millions of installs a month that only have one or two people actively contributing to them. It\u2019s increasingly common for the few people working on major open-source (OSS) projects not to be paid, either, so there\u2019s little incentive for them to spend their spare time working on a project. <\/em><br><br><em>This is known in the OSS community as \u2018the bus factor problem\u2019, \u2013 a \u2018<\/em><a href=\"https:\/\/en.wikipedia.org\/wiki\/Bus_factor\" target=\"_blank\" rel=\"noopener\"><em>measurement of the risk resulting from information and capabilities not being shared among team members<\/em><\/a><em>,\u2019 i.e., what would happen to a project if the team got hit by a bus. It reminds me of the popular XKCD comic joking about a single person maintaining a dependency that a slew of larger projects relies on.\u201d<\/em><\/p><\/blockquote>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"263\" height=\"332\" src=\"https:\/\/d2h1bfu6zrdxog.cloudfront.net\/wp-content\/uploads\/2022\/03\/XKCDcomic.png\" alt=\"A huge stack of blocks titled &quot;all modern digital infrastructure&quot; laying on top of a tiny slivered block titled &quot;a project some random person in nebraska has been thanklessly been maintaining since 2003&quot;.\" class=\"wp-image-4709\" srcset=\"https:\/\/coderpad.io\/wp-content\/uploads\/2022\/03\/XKCDcomic.png 263w, https:\/\/coderpad.io\/wp-content\/uploads\/2022\/03\/XKCDcomic-238x300.png 238w\" sizes=\"auto, (max-width: 263px) 100vw, 263px\" \/><figcaption><a href=\"https:\/\/xkcd.com\/2347\/\" target=\"_blank\" rel=\"noopener\">Image by XKCD<\/a><\/figcaption><\/figure>\n<\/div>\n\n\n<p>This idea of a \u201cbus factor\u201d is a massive problem. If a FOSS maintainer decides to hand off (or even sell) their work to a bad actor, that\u2019s game over for any project that relies on it. This is especially troubling since <a href=\"https:\/\/www.synopsys.com\/software-integrity\/resources\/analyst-reports\/open-source-security-risk-analysis.html\" target=\"_blank\" rel=\"noopener\">an estimated 98% of codebases include FOSS<\/a>. The more people working with FOSS, the more likely bugs and other vulnerabilities will be found.<\/p>\n\n\n<p>Clearly, the goal here is to increase dev participation in FOSS \u2013 but even if there\u2019s increased participation, how do we know what security problems there are present in a codebase to begin with?<\/p>\n\n<h2 class=\"wp-block-heading\">Current FOSS security solutions<\/h2>\n\n<p>This is not to say that the dev community has wholly ignored the FOSS security issue. There are currently some great tools and platforms that are working to close the vulnerability gaps:<\/p>\n\n\n<ol class=\"wp-block-list\"><li><strong>Common Vulnerabilities and Exposures (CVE)<\/strong> is a system that the MITRE Corporation runs with funding from the US Government. It\u2019s a list of \u201c<a href=\"https:\/\/www.redhat.com\/en\/topics\/security\/what-is-cve\" target=\"_blank\" rel=\"noopener\">publicly disclosed computer security flaws<\/a>\u201d that helps inform security researchers of new security issues so that they can document them and inform the proper channels to get patched in OSS. Anyone can add to the list by submitting the issue <a href=\"https:\/\/opensource.com\/article\/19\/3\/bug-reporting\" target=\"_blank\" rel=\"noopener\">here<\/a>.<\/li><li>In 2019 Github introduced a feature called <a href=\"https:\/\/www.helpnetsecurity.com\/2019\/05\/28\/github-automated-security-fixes\/\" target=\"_blank\" rel=\"noopener\"><strong>Dependabot<\/strong><\/a>, which monitors Github projects for dependencies that might have critical security flaws.&nbsp;<\/li><li>Node Package Manager (NPM) also has the \u2018<strong>npm audit<\/strong>\u2019 command that \u201c<a href=\"https:\/\/blog.npmjs.org\/post\/173719309445\/npm-audit-identify-and-fix-insecure.html\" target=\"_blank\" rel=\"noopener\">performs a moment-in-time security review of your project\u2019s dependency tree<\/a>\u201d that identifies security vulnerabilities that may be present in your dependencies.&nbsp;<\/li><\/ol>\n\n\n\n<p>While they\u2019re a step in the right direction, these tools are not flawless. For example, the <code>npm audit<\/code> command has drawn its fair share of criticisms over the years.<a href=\"https:\/\/overreacted.io\/npm-audit-broken-by-design\/\" target=\"_blank\" rel=\"noopener\">To quote Dan Abramov<\/a>, one of the core members of the ReactJS team:<\/p>\n\n\n\n<p><em>\u201cThe way npm audit works is broken. Its rollout as a default after every npm install was rushed, inconsiderate, and inadequate for the front-end tooling.\u201d<\/em><\/p>\n\n\n\n<p>He goes on to compare it to <a href=\"https:\/\/en.wikipedia.org\/wiki\/The_Boy_Who_Cried_Wolf\" target=\"_blank\" rel=\"noopener\">\u201cThe boy who cried wolf\u201d<\/a>in the sense that <code>npm audit<\/code> is prone to generating a significant amount of false positives, making it challenging to focus on the actual security issues.<\/p>\n\n\n<h2 class=\"wp-block-heading\">Where developers should focus their efforts to improve open source security <\/h2>\n\n\n<p>This is where the <em>Census II<\/em> report comes in handy \u2013 by suggesting where our focus should be by ranking the most popular FOSS packages. The more popular a package, the more attention it should get to prevent catastrophic vulnerabilities from being exploited.&nbsp;<\/p>\n\n\n<p>The rankings are broken out in three ways:<\/p>\n\n\n<ol class=\"wp-block-list\"><li><strong>Versioned vs. Version-Agnostic<\/strong> \u2013 i.e., \u201cversioned\u201d considers whether a particular version of a package is used more.<\/li><li><strong>Direct dependencies vs. Direct AND Indirect Dependencies<\/strong> \u2013 Direct means the package was downloaded straight from the package manager; indirect is any dependencies that are included with a direct download.<\/li><li><strong>NPM vs. Non-NPM packages<\/strong> \u2013 Node package manager (NPM) has become such a popular tool that the results were broken out between it and other popular package managers like <em>maven <\/em>and <em>nuget<\/em>.<\/li><\/ol>\n\n\n<p>You can find the top 5 results below:<\/p>\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"790\" height=\"475\" src=\"https:\/\/d2h1bfu6zrdxog.cloudfront.net\/wp-content\/uploads\/2022\/03\/top5versionedpackages.png\" alt=\"Top five most used versioned direct dependency npm packages are puncode.js, lodash, express, axios, and react.\" class=\"wp-image-4710\" srcset=\"https:\/\/coderpad.io\/wp-content\/uploads\/2022\/03\/top5versionedpackages.png 790w, https:\/\/coderpad.io\/wp-content\/uploads\/2022\/03\/top5versionedpackages-300x180.png 300w, https:\/\/coderpad.io\/wp-content\/uploads\/2022\/03\/top5versionedpackages-768x462.png 768w\" sizes=\"auto, (max-width: 790px) 100vw, 790px\" \/><figcaption><a href=\"https:\/\/linuxfoundation.org\/wp-content\/uploads\/LFResearch_Harvard_Census_II.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">Sourced from the Census II report<\/a><\/figcaption><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"790\" height=\"372\" src=\"https:\/\/d2h1bfu6zrdxog.cloudfront.net\/wp-content\/uploads\/2022\/03\/top5versionagnosticpackages.png\" alt=\"Top 5 most popular version agnostic packages for npm direct dependency packages are lodash, react, axios, debug, and @babel\/core.\" class=\"wp-image-4711\" srcset=\"https:\/\/coderpad.io\/wp-content\/uploads\/2022\/03\/top5versionagnosticpackages.png 790w, https:\/\/coderpad.io\/wp-content\/uploads\/2022\/03\/top5versionagnosticpackages-300x141.png 300w, https:\/\/coderpad.io\/wp-content\/uploads\/2022\/03\/top5versionagnosticpackages-768x362.png 768w\" sizes=\"auto, (max-width: 790px) 100vw, 790px\" \/><figcaption><a href=\"https:\/\/linuxfoundation.org\/wp-content\/uploads\/LFResearch_Harvard_Census_II.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">Sourced from the Census II report<\/a><\/figcaption><\/figure>\n\n\n<h2 class=\"wp-block-heading\">What can you do?<\/h2>\n\n\n<p>Contribute and review FOSS! Obviously, you\u2019re not going to dedicate your free time to fixing <em>every<\/em> FOSS out there, but you can focus on one of the top ones on the list or \u2013 better yet \u2013 find one on the list that you often use and find ways to improve it.<\/p>\n\n\n\n<p>Moreover, you can help fund projects you depend on. With the advent of tools like <a href=\"https:\/\/github.com\/sponsors\" target=\"_blank\" rel=\"noopener\">GitHub Sponsors<\/a> and <a href=\"https:\/\/opencollective.com\/\" target=\"_blank\" rel=\"noopener\">Open Collective<\/a> it\u2019s easier than ever to find projects that require funding and financially support them.<\/p>\n\n\n\n<p>The <em>Census II<\/em> report\u2019s authors also cite the following focus areas:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><em>the need for a standardized naming schema for software components,&nbsp;<\/em><\/li><li><em>the complexities associated with package versions,&nbsp;<\/em><\/li><li><em>much of the most widely used FOSS is developed by only a handful of contributors,&nbsp;<\/em><\/li><li><em>the increasing importance of individual developer account security, and&nbsp;<\/em><\/li><li><em>the persistence of legacy software in the open source space\u201d<\/em><\/li><\/ul>\n\n\n\n<p>There\u2019s a lot of work ahead of the FOSS developer community. The report mentions how some governments have incentivized FOSS focus by creating \u201c<em>bug bounty programs, hackathons, and conferences<\/em>.\u201d They conclude their study with this:<\/p>\n\n\n\n<p>\u201c<em>Given the distributed nature of FOSS, only through data sharing, coordination, and investment will the value of this critical component of the digital economy be preserved for generations to come.<\/em>\u201d<\/p>\n\n\n<p>We can be grateful that groups like OpenSSF are helping to bring light to this global issue, but in the end we have to realize this is a team effort, and we must all do our part to ensure the FOSS we use is safe for ourselves, our companies, and our customers.&nbsp;<\/p>\n\n\n<p>For full rankings and methodology, check out the report <a href=\"https:\/\/linuxfoundation.org\/wp-content\/uploads\/LFResearch_Harvard_Census_II.pdf\" target=\"_blank\" rel=\"noopener\">here<\/a>.<\/p>\n\n\n<p>Happy coding!<\/p>","protected":false},"excerpt":{"rendered":"<p>A look at the current state of Free &#038; Open Source Software security &#8212; and the alarms that are being raised about it.<\/p>\n","protected":false},"author":12,"featured_media":4846,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[9],"tags":[],"persona":[27,29],"blog-programming-language":[],"keyword-cluster":[],"class_list":["post-4708","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-development"],"acf":[],"_links":{"self":[{"href":"https:\/\/coderpad.io\/wp-json\/wp\/v2\/posts\/4708","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/coderpad.io\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/coderpad.io\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/coderpad.io\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/coderpad.io\/wp-json\/wp\/v2\/comments?post=4708"}],"version-history":[{"count":21,"href":"https:\/\/coderpad.io\/wp-json\/wp\/v2\/posts\/4708\/revisions"}],"predecessor-version":[{"id":8075,"href":"https:\/\/coderpad.io\/wp-json\/wp\/v2\/posts\/4708\/revisions\/8075"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/coderpad.io\/wp-json\/wp\/v2\/media\/4846"}],"wp:attachment":[{"href":"https:\/\/coderpad.io\/wp-json\/wp\/v2\/media?parent=4708"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/coderpad.io\/wp-json\/wp\/v2\/categories?post=4708"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/coderpad.io\/wp-json\/wp\/v2\/tags?post=4708"},{"taxonomy":"persona","embeddable":true,"href":"https:\/\/coderpad.io\/wp-json\/wp\/v2\/persona?post=4708"},{"taxonomy":"blog-programming-language","embeddable":true,"href":"https:\/\/coderpad.io\/wp-json\/wp\/v2\/blog-programming-language?post=4708"},{"taxonomy":"keyword-cluster","embeddable":true,"href":"https:\/\/coderpad.io\/wp-json\/wp\/v2\/keyword-cluster?post=4708"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}