How to Ensure Open Source Packages Are Not Landmines

Open source repositories are critical to running and writing modern applications, but beware — carelessness could detonate mines and inject backdoors and vulnerabilities in software infrastructures. IT departments and project maintainers need to assess a project's security capabilities to ensure malicious code is not being incorporated into the application.

A new security framework from the Cybersecurity and Infrastructure Security Agency (CISA) and Open Source Security Foundation (OpenSSF) recommends enabling multifactor authentication for project maintainers, third-party security reporting capabilities, and warnings for outdated or insecure packages, among other controls, to help reduce exposure to malicious code and packages masquerading as open source code on public repositories.

"The open source community gathers around these watering holes in order to fetch these packages. They have to be — from an infrastructure perspective — secure," says Omkhar Arasaratnam, general manager of OpenSSF.

Where Bad Code Can be Found

Those watering holes include GitHub, which hosts entire programs, programming tools, and APIs that connect software to online services. Other repositories include PyPI, which hosts Python packages; NPM, which is a JavaScript repository; and Maven Central, which is a Java repository. Code written in Python, Rust, and other programming languages download libraries from multiple package repositories.

Developers could unintentionally be tricked into pulling in malicious software that could be injected in package managers, which could give hackers access to systems. Programs written in languages like Python and Rust could include malicious software if developers link up to the wrong URL.

The guidelines laid out in CISA and OpenSSF's "Principles for Package Repository Security" build on security efforts already adopted by repositories. The Python Software Foundation last year adopted Sigstore, which ensures the integrity and provenance of the packages that are contained within its PyPI and other repositories.

The security across repositories isn’t abjectly bad, but it is inconsistent, Arasaratnam says.

"The first part is to gather some of the more popular ... and significant ones within the community and start to establish a set of a set of controls that could be used universally across them," Arasaratnam says.

The new guidelines could prevent incidents such as namesquatting, where malicious packages are downloaded by developers who mistype the wrong file name or URL.

"You may accidently boot a malicious version of the package, or it could be a scenario where somebody has uploaded code that is malicious under the identity of the maintainer but only due to machine compromise," Arasaratnam says.

Harder to Recognize Malicious Packages

The security of packages on repositories dominated a panel session about open source security at the Open Source in Finance Forum (OSFF) in New York last November.

"It is like the old days of browsers when they were inherently vulnerable. People would go to a malicious website, get a backdoor dropped, and then go, 'Whoa, this isn't the site,'" said Brian Fox, co-founder and chief technology officer at Sonatype, during the panel discussion. "We're tracking well over 250,000 components that were intentionally malicious."

IT departments are coming to grips with the malicious code and packages masquerading as open source code, said Ann Barron-DiCamillo, managing director and global head of cyber operations at Citi, at the OSFF conference.

"Talking about malicious packages over the last year, we have seen a twofold increase over previous years," she said. "This is becoming a reality associated with our development community."