Open-source software security is crucial in today's cloud-native world. Learn about vulnerabilities, dependencies, and tools to improve security in this in-depth blog post.

As cybersecurity becomes increasingly important in software development, the “shift left” security approach is widely recognized as a best practice for ensuring superior application security. Numerous traditional security firms are introducing shift-left products and capabilities, and the concept is gaining traction. However, some open source application security tools are more developer-friendly than others.

A necessary step in securing an application is evaluating the supply chain of each component used to create the application—no matter how many hands were involved in its development. If any links in the supply chain are obscured, it can be difficult to confidently assess the amount of risk that an application is susceptible to.

In late March 2024, the cybersecurity community was shaken by the revelation of a critical vulnerability in XZ Utils, a popular open source compression tool integral to many Linux systems. The discovery was made by Andres Freund, a developer at Microsoft, who reported that versions 5.6.0 and 5.6.1 had a backdoor that could potentially allow unauthorised remote code execution.

Fully understanding open-source licenses is crucial for your projects and organization. Let's look at where these licenses come from and how they can impact your applications.

By now, you have probably heard about the recently discovered backdoor into versions 5.6.0 and 5.6.1 of the tarballs of the xz utilities, a popular compression/decompression library for xz files, which provides unauthorized remote access under certain conditions. This vulnerability was reported under CVE-2024-3094. Andres Freund, of Microsoft, who discovered the vulnerability, summarized it well.

We recently wrote about npm audit fix, which is an add-on to the excellent npm audit, that has become a fundamental tool for managing software packages in Node.js projects. However, developers working with other languages also require specialized tools for Software Composition Analysis (SCA). At Jit, our tool of choice for SCA scanning across a diversity of programming languages is OSV Scanner, a best of breed OSS solution maintained by Google.

The recent discovery of a backdoor in XZ Utils (CVE-2024-3094), a data compression utility used by a wide array of various open-source, Linux-based computer applications, underscores the importance of open-source software security. While it is often not consumer-facing, open-source software is a critical component of computing and internet functions, such as secure communications between machines.

At Bitsight, part of the core work of the Vulnerability Research team is to analyze new high-profile vulnerabilities and ensure we come up with ways to detect, at an internet-wide scale, who is affected by these. Sometimes - more often than not - the direct exploitation of these vulnerabilities is significantly intrusive, and thus we can not load a direct port of the publicly available Proofs-of-Concept onto our internet scanning infrastructure.

Each year, our "Open Source Security and Risk Analysis” (OSSRA) report highlights the fact that open source software (OSS) plays a critical and substantial role in modern application development, and it is therefore foundational to the software supply chain. The prevalence of OSS within commercial applications makes it difficult to track, and that makes it difficult to manage the risk that it may introduce.

The open-source world narrowly escaped a sophisticated supply-chain attack that could have compromised countless systems. A stark reminder of the necessity of vigilant monitoring and rigorous vetting within the open-source ecosystem to maintain trust and security.

If you’re a software developer, you’re probably using open source components and libraries to build software. You know those components are governed by different open source licenses, but do you know all the license details? In particular, do you know the sometimes-convoluted licensing conditions that could pose compliance challenges for your organization?