How open source software is being weaponised

Jing Xie, senior threat intelligence researcher at Venafi, explains why the weaponisation of Open Source Software Libraries (OSSLs) is a rapidly growing threat to businesses.

In the technology world, open source software plays a powerful role. Released under a license that allows users to tweak and distribute applications for any purpose, it promotes open collaboration among technologists and offers a range of advantages.

For starters, adopting open source can provide access to high-quality software that doesn't cost a penny. And users are often surrounded by a community of like-minded users who can support and improve the application. However, there are also advantages when it comes to transparency, flexibility, interoperability and localisation.

Arguably, open source software holds a prized place in the technology ecosystem. But that's not to say there aren't risks, with hackers weaponising open source software libraries (OSSLs) through OSSL trust attacks that target the software supply chain. According to Sonatype, these threats increased by 55% last year.

In one notable example, EventStream - a JavaSciript library used by two million people globally - was infected by malicious code that steals bitcoins from wallets. This software was used by a plethora of Fortune 500 companies and startups. Just how dangerous are such attacks and how can they be mitigated?

A sophisticated threat

Attackers are constantly developing more sophisticated ways to compromise organisations, and it's fair to say OSSl trust attacks are one of them. Jing Xie, senior threat intelligence researcher at Venafi, says their defining characteristic is that the organisation that actually gets breached isn't the intended target.

"Instead, the OSSL host is essentially a Trojan horse, a vehicle that's completely trusted by the open source community that's capable of spreading malware," she tells IDG Connect. "The real danger comes from this trust element. Organisations rely on OSSLs to build their products - 96 percent of applications use open source components to varying degrees. These organisations consider the open source code they find to be completely safe, yet there's every chance the code is more dangerous than they realise."

To continue reading this article register now