There’s a lot to love about open source packages. They’re usually free of cost. They’re easy to customize because developers can modify the source code if desired. They’re typically available from public repositories that are readily accessible to anyone with an Internet connection. Yet, from a software supply chain risk management perspective, open source packages pose a major challenge: If they contain malicious code or vulnerabilities, they can become sources of supply chain security problems. That’s why any organization that takes advantage of open source packages (or, for that matter, any other type of open source resources, such as source code that developers copy-and-paste from public repositories into their own codebases) must have a strategy in place for managing the security risks inherent to open source. Doing so is the only way to prevent attacks with far-reaching consequences – such as the Apache Log4J vulnerability, which is just one of the best-known examples of supply chain attacks triggered by vulnerabilities in open source code. Keep reading for tips on securing open source packages as part of your supply chain security management strategy.

The Vulnerability of Open Source Packages

An open source package is a type of open source software resource that organizations can install to deploy open source code within their environments. Open source packages come in many formats, such as Docker container images, Helm charts and Debian packages, to name just a few. Because most open source packages are available at no cost from public software repositories, like Docker Hub, it’s a common practice for businesses to take advantage of open source to help meet their software needs. They might deploy open source packages for software like MySQL or NGINX as standalone applications. Or, they could use open source packages to satisfy dependency requirements for applications whose codebase was developed in-house. Today, more than three-quarters of businesses take advantage of open source software through practices like these. Either way, open source packages can pose security risks. Those risks can originate in two main ways:

• Attackers inserting malicious code into packages, either by modifying the packages themselves or by tampering with open source code before it is packaged.
• Vulnerabilities in open source code that appear due to oversights by the code’s legitimate developers.

If an organization downloads and runs open source packages that are subject to either of these types of risks, attackers can potentially exploit the flaws to gain access to applications or environments that include the vulnerable code. This is an example of a software supply chain attack because it involves breaching an organization by exploiting vulnerabilities in third-party software that it uses.

Strategies for Securing Open Source Packages

For most organizations, choosing not to take advantage of open source due to the potential security risks is hardly an option. Having to develop alternatives to open source packages in-house would require tremendous development resources. Instead, businesses should develop strategies that allow them to leverage open source packages fully, while also keeping the potential supply chain security problems in check. Effective measures for securing open source packages include:

• Health and wellness checks: It’s a best practice to monitor the maintenance frequency and community engagement around open source packages that your company uses. Regular updates and an active community often indicate healthier, more secure packages, because it’s more difficult for malicious code or vulnerabilities to go undetected when many well-intentioned developers are engaged in an open source project.
• Contributor identity verification: Identifying the specific developers who have contributed to a package and examining their histories – a feature available from Checkmarx One’s advanced analysis – can help detect actors who may have malicious intentions. If code originates from a developer who has no known history or who (worse) has authored malicious code in the past, it’s a good sign that you should steer clear of that code.
• Behavioral analysis: Conducting both static and dynamic analysis of the code inside open source packages is essential. Static analysis examines the code for inherent vulnerabilities, like code that is known to be subject to a security flaw. Dynamic analysis observes the code’s behavior during execution, flagging risks that might not be obvious from analyzing the code alone.

Checkmarx One: Comprehensive Software Supply Chain Security

Checkmarx One is a longstanding leader in preventing software supply chain threats of all types, including those linked to open source packages. Using the strategies described above, Checkmarx One scrutinizes open source packages meticulously and warns organizations when they may contain malicious or vulnerable code. To do this, Checkmarx One relies on more than just public vulnerability databases. It also references our industry-leading malicious package database, which serves as a vital resource for developers in making informed decisions about the packages they use. In addition, Checkmarx One’s Threat Intelligence API provides direct access to Checkmarx Supply Chain Security knowledge. This API connects to the malicious package database, allowing developers to query the security status of packages proactively, before they add them to a codebase. This streamlines the internal validation process, ensuring that only secure open source packages are incorporated into the organizational environment.

Open Source Software Packages: Among the Most Common Vectors for Supply Chain Attacks

To protect against open source supply chain risks as effectively and efficiently as possible, developers should have access to tools – like Checkmarx One – that leverage a variety of threat detection techniques to surface risks, and that can automatically and proactively warn developers about insecure packages so they avoid risks long before attackers have a chance to exploit them. Learn more by reading our open source supply chain attack whitepaper, and check out the Checkmarx Supply Chain Threat Intelligence solution brief for details on how Checkmarx helps keep open source supply chains safe.