Under-Resourced Maintainers Pose Risk to Africa's Open Source Push

During a two-day conference at the United Nations in New York City last week, technologists and global policy makers expounded on the benefits that open source software (OSS) can provide to the world, particularly when it comes to delivering affordable technology to underserved nations in Africa and beyond. But to make the most of the OSS promise, security has to go hand in hand with app development.

Philip Thigo, special envoy on technology for the government of Kenya, stressed that, in a world where exclusion from prosperity is the norm, OSS offers a way for more people to participate in coding activities and the business of application development; he pointed out that GitHub, for instance, has more than 300,000 developers from Kenya, and more than a million from Nigeria.

"In the era of sustainable development goals, where we must end extreme poverty but also leave no one behind ... open source almost becomes intrinsic or integral to everything that we do," he told attendees at the UN's Open-Source Program Officers for Good 2024 conference on July 9.

To reach those goals, every nation needs to also focus on the security of the ecosystem, Omkhar Arasaratnam, general manager of the Open Source Security Foundation (OpenSSF), who spoke at the conference, tells Dark Reading.

"Our perspective is that it's wonderful that open source can provide assistance in all these areas and build community, but of course, the precondition is that it must be secure," he says. "The last thing that you want to contend with ... is a scenario where a part of the global majority is contending with, say, food safety as well as cyber safety, because of a package that's insecure."

Under-Resourced: Danger Warnings for Open Source

Companies interested in securing the open source components used in their application development efforts — the "demand side," as Arasaratnam says — have plenty of tools and services at their disposal. But all too often, OSS maintainers and project contributors, including many in Africa, lack funding and resources for security — in fact, many of them work on the projects for free, or are the only person on the team.

"The demand side, that's the easy part — it's the supply side we need to focus on," he says. "Remember, a lot of these programs, a lot of these critical open source projects are single-maintainer projects that just happen to be incredibly popular."

The coordinated attack on the XZ Utils project highlights the danger on a broad scale. In that incident, a sophisticated group targeted the project's lone, over-stressed maintainer over the course of three years. Members of the attacking group donned a variety of identities to both criticize him and then offer help. In the end, the attackers gained maintainer privileges and ported in exploitable code.

The attack on the XZ Utils project, which could have led to the compromise of the many other projects that rely on it, holds important lessons — not just that supply chain security is important, but that such attacks can be stopped. Arasaratnam pointed to the fact one of the OpenSSF's free tools, Scorecards, highlighted the riskiness of the XZ Utils project, and other projects used the tools to detect similar social engineering efforts.

"The good news is, after hearing [about the attack], a number of other open source projects identified very similar modus operandi from actors attempting to do the same things," he says. "But because these projects were much better resourced, they weren't susceptible to it."

Create a Securing Open Source Ecosystem

To shore up security and avoid the dangers of under-resourced projects, companies have a few options, all starting with determining which OSS their developers and operations rely on. To that end, software bills of materials (SBOMs) and software composition analysis (SCA) software can help enumerate what's in the environment, and potentially help trim down the number of packages that companies need to check, verify, and manage, says Chris Hughes, chief security adviser for software supply chain security firm Endor Labs.

"There's simply so much software, so many projects, so many libraries, that the idea of ... monitoring them all actively is just — it's very hard," he says.

Finally, educating developers and package managers on how to produce and manage code securely is another area that can produce significant gains. The OpenSSF, for example, has created a free course LFD 121 as part of that effort.

"We'll be building a course on security architectures, which will also be released later this year," OpenSSF's Arasaratnam says. "As well as a course on security for not just engineers, but engineering managers, as we believe that's a critical part of the equation."

The group also has focused on working with the Cybersecurity and Infrastructure Security Agency (CISA) to identify critical open source projects; and, the group is developing and funding the creation of tools, such as OpenSSF Scorecard, for documenting the security posture of specific packages, and Sigstore, a digital signature that can validate a software's packages security claims. And finally, Arasaratnam says, OpenSSF has helped secure the repository platforms where open source packages live, including PyPI, RubyGems, and npm, the Node Package Manager.