Improving Open Source Software Security through Enhanced Development Practices
Earlier this year, a Microsoft developer stumbled upon a disturbing discovery – a backdoor had been inserted into the code of XZ Utils, an open source utility used in virtually all Linux operating systems. The operation had begun two years prior when an individual known as JiaT75 started contributing to the XZ Utils repository on GitHub.
This attack, reminiscent of other high-profile cybersecurity incidents involving open source software such as Heartbleed, Shellshock, and Log4j, serves as a stark reminder that open source software can pose significant security risks due to its widespread adoption. At TechCrunch Disrupt 2024, industry experts gathered to discuss the challenges of securing open source software.
The Challenges of Securing Open Source Software
Bogomil Balkansky, partner at Sequoia Capital, described open source software as the "lifeblood of software," which makes it "foundational and baked into everything." However, he noted that "the business model for open source is still very much work in progress." This raises questions about who should take care of securing open source software and who should pay to fix vulnerabilities.
The Importance of Open Source Security
Aeva Black, the section chief for open source security at the U.S. Cybersecurity and Infrastructure Security Agency (CISA), emphasized that open source software is a public good. She stated, "We’re here to participate as a member of the open source community and work with them." CISA is now launching initiatives to educate businesses on the best practices for deploying open source software.
Luis Villa, co-founder of Tidelift, proposed a model where companies pay open source maintainers to take care of their code and partners to fix vulnerabilities. Villa emphasized that there’s a need for "multiple approaches" and "defense in depth," which means several layers of security are required to protect the open source ecosystem.
The Need for Collective Action
Black stressed the importance of knowing which open source software is in individual products. She said, "We need better engagement to enable everybody to do that with less effort and less burden on individual volunteer maintainers and nonprofits." This highlights the need for collective action among stakeholders to address the security risks associated with open source software.
The Solution to Open Source Security
Balkansky noted that "the solution to open source security, at least to some degree, also needs to be open source." He warned that there are no silver bullets and that a multi-faceted approach is necessary. Villa emphasized the need for multiple approaches and defense in depth, while Black stressed the importance of better engagement among stakeholders.
The Way Forward
In conclusion, the security risks associated with open source software are real and require collective action to address. The industry must come together to develop a comprehensive solution that involves multiple approaches, better engagement, and a deeper understanding of the security risks involved.
Related Topics
- CISA
- Open Source Security
- Open Source Software
- Security
- Sequoia
- TechCrunch Disrupt 2024
Author Information
Lorenzo Franceschi-Bicchierai is a Senior Writer at TechCrunch, where he covers hacking, cybersecurity, surveillance, and privacy. You can contact Lorenzo securely on Signal at +1 917 257 1382, on Keybase/Telegram @lorenzofb, or via email at lorenzo@techcrunch.com.
Newsletter Subscription
Stay up-to-date with the latest tech news by subscribing to TechCrunch Daily News, TechCrunch AI, TechCrunch Space, Startups Weekly, and other newsletters.