Last week there were two earthshaking security events. Yes, the Marriott data breach was big, but I’d like to talk about the one you might not have heard of..
About twenty years ago, ESR gave us The Cathedral and the Bazaar. One of the major themes in the book is that, “given enough eyeballs, all bugs are shallow“. We’ve come to rely on this premise for open source, at times abdigating responsibility in reusing software components that we’re sure, other people must have checked for security issues. Right?
This trust was shaken last week.
Using some very clever tactics, malware was inserted into the popular npm package. There are in-depth discussions of how it happened in an LWN article and a Sonatype blog article by Brian Fox. (There are more articles at the bottom of this page.)
It used to be that bad actors would wait for vulnerabilities to be discovered to exploit them. This incident changes the dynamic, where bad actors are not only creating the exploits, but injecting them upstream into the supply chain that people use to build their applications.
Some thoughts about this:
- The “many eyeballs” of open source is still largely true, if there are in fact many eyeballs. Many (most?) of the millions of projects available don’t have lots of eyeballs?
- Abandoned projects that are still depended on may be a red flag..
- Any project with only two eyeballs may be a red flag.. (The risk of malware being inserted unnoticed goes down dramatically with more eyeballs.)
- We may have to not only start tracking projects, but perhaps reputations of committers?
We’ve been focusing largely on being reactive with “when” and “what?” when tracking vulnerabilities in packages. The reaction times required between announcements and exploits has dropped dramatically to just a few days in recent cases. We may need to start being more proactive by looking at “who?” and “how?” projects are maintained.
..and who is ultimately responsible for the security of your applications? You are!