back to article Open-source software supply chain vulns have doubled in 12 months

Use of vulnerable open source components has doubled over the last year despite their role in the high profile Equifax mega-breach. Sonatype’s fourth annual Software Supply Chain Report, published on Tuesday (available here, registration required), revealed a 120 per cent rise in the use of vulnerable open source components …

  1. Anonymous Coward
    Anonymous Coward

    Facepalm

    Well, thank goodness for proprietary closed-source software where vulnerabilities don't get detected, reported or fixed and therefore don't exist.

    I don't suppose those Open Sourcerers would ever consider issuing patches, either.

    1. GnuTzu

      Code Repositories -- Wild, Wild West

      Just how different are code repositories from that of the primary O.S repositories of the major Linux distros. And, how much more probable is it that a zero day will show up in an alpha or beta repo than a that of a release version. I'm thinking these things need to get some moderation and other security controls.

    2. Anonymous Coward
      Anonymous Coward

      Re: Facepalm

      Oooh, that looks like a very big straw man you've just set up there.....

      This is about an increase in vulnerabilities in open source. Putting your fingers in your ears and going "la la la, closed source is worse" doesn't cut it.

      How is the open source community going to reverse this and increase security? How bad does it have to get before they pay attention to it at all?

  2. Anonymous Coward
    Linux

    Software supply chain attacks?

    “The time required for hackers to exploit a newly disclosed open source vulnerability has shrunk 400% in the last decade.”

    How can the exploit time fluctuate if the Source Code has been in the public domain all the time?

    1. DavCrav

      Re: Software supply chain attacks?

      "“The time required for hackers to exploit a newly disclosed open source vulnerability has shrunk 400% in the last decade.”

      How can the exploit time fluctuate if the Source Code has been in the public domain all the time?"

      I want to know how something can shrink by more than 100%, but there you go.

      1. Anonymous Coward
        Anonymous Coward

        Re: Software supply chain attacks?

        > "I want to know how something can shrink by more than 100%..."

        Easy, the result of 400% shrinkage is -300%.

        Um...

      2. Anonymous Coward
        Anonymous Coward

        Re: Software supply chain attacks?

        "I want to know how something can shrink by more than 100%, but there you go."

        I can't refute that but I'm going to down-vote you anyway :]

    2. bombastic bob Silver badge
      Meh

      Re: Software supply chain attacks?

      Well since "Several of the problems listed by Sonatype involved messing around with NPM, a utility used by JavaScript projects to install dependencies" I'd say that the problem is NOT open source software per se; it's the reliance on a potentially buggy [and security risk] system for "updates".

      Updates are overrated, ESPECIALLY when they result in CREATING back-doors and viruses and trojans [oh my!]. You don't need "bleeding edge" all of the time. It's better to have something STABLE that gets timely security patches. This goes TRIPLE for things that "change the rules" (Firefox 57 comes to mind) on you, even though you REALLY LIKE THE ONE YOU HAVE and REALLY HATE WHAT THEY DID TO IT.

      "Just because a buggy application is 'open source' does NOT mean that 'open source' is the problem." - Captain Obvious

      Also worth pointing out that Javascript is in and of itself "a problem".

      1. big_D Silver badge

        Re: Software supply chain attacks?

        The problem isn't open source per se, it is that the code gets fixed, published, people can look at it and work out easily where the problems were and quickly exploit them. With closed source, they need to reverse engineer or get lucky. Once the fix is published, with closed source, they have a heads up where to look, which also shortens the exploit time there.

        Add in that, as said, a lot of security updates never get centrally reported, as stated in the article, just in the daily check-ins and release notes, which most people only read if they are actualy installing an update, if at all. That means most users never even know there are security patches available.

        But a lot of open source is installed and forgotten about, because it is "open source" and not Microsoft / IBM / SAP, it often sits unloved on a server somewhere in the metaphorical corner and doesn't get updated, because it isn't "core" to the company's LoB.

        That gives a lot more scope for exploiting open source software, not because it is worse than closed source, but because the information is easily accessible by hackers, down to which lines of code have been modified, and the users often aren't informed in time that there are patches available, unless it is a major issue. The dozens of minor issues that the devs discover themselves and patch quietly in the check-in logs are still available to the hackers, but which user pours over the daily check-in logs of every bit of software they have installed?

      2. Anonymous Coward
        Anonymous Coward

        Re: Software supply chain attacks?

        > 'Also worth pointing out that Javascript is in and of itself "a problem".'

        So is breathing, in certain environments.

        1. Anonymous Coward
          Anonymous Coward

          Re: Also worth pointing out that Javascript is in and of itself "a problem".

          No, people who don't know how to use JavaScript but insist on writing it are the problem. Just like people can write bad code in any other language. And knowledge of other curly bracket languages does not make you a JavaScript developer or mean that your lack of understanding is JavaScript's fault.

  3. Will Godfrey Silver badge
    Unhappy

    Curious

    This seems to be long on fear factor, and short on current news.

    Also, logically if time has reduced by 100% it has gone from whatever it was to zero. More than that is time travel. Are they really saying the vulnerabilities are being discovered before they exist?

  4. kain preacher

    Is this why Linus took a break ?

  5. JLV
    Black Helicopters

    This makes sense. Yes, it's open source, but in practice they're much like binaries - many install scripts have active payloads on install - you have to trust the code before seeing it (though you could browse what's _hopefully_ the same code on GitHub).

    Open source collaboration is too valuable, and even high quality closed source is not sufficiently superior wrt security, for us to seriously roll back in time.

    But this trust by default reminds me a bit of when we were still exchanging EXEs and active VBAs in Outlook. It was only a matter of time till someone got hurt.

    What gets my goat is when StackOverflow questions on how to do something simple in Python, JS, Chef, Ansible, Django get answered with "oh, don't worry your pretty little head, install package XYZ". Who cares if the code you'd need to write yourself would be <20 lines vs installing a package that's 4 yrs old, has 1, unknown, author, and only 200 downloads?

    1. bombastic bob Silver badge
      FAIL

      DJango deserves its own category. How many web authors leave it in 'debug' mode to avoid the complexity of identifying everything that's capable of being downloaded...

      nevermind it's bloatware on steroids written in python for good measure.

      icon for DJango in and of itself. yeah. PHP and CGI for the win!

      1. JLV

        he he. we agree on something. on debug mode django dumps out stack traces to the browser. all daemon-visible server env variables too, for extra transparency, though there’s i believe a regex to scrub out ‘.*(secret|password).*.

        django 101: debug = True ’s only for dev. if someone’s too dumb to know that it’s like someone not knowing you should always assume a gun is loaded.

      2. Anonymous Coward
        Anonymous Coward

        > "PHP and CGI for the win!"

        That's "teh" win.

  6. Maelstorm Bronze badge
    Devil

    Hmm....

    I'm more interested in the fact that hackers were caught installing vulnerabilities directly into the source code and very few people are noticing. The ones that have been reported are probably the tip of the iceberg. That is one of the big issues with open source, when everybody is working on it, who is vetting these people and making sure that they are not doing something nefarious? Brings to mind "too many cooks...."

    1. Nick Kew

      Re: Hmm....

      Indeed, much more interesting.

      Or would be, if it were more than a dark hint. Who exactly is being accused here? Developer communities? Packagers? Distributors? And what are they accused of: malice, incompetence, insufficient oversight, being blackmailed, ??? Or is this just the case that's been my bugbear for years, of downloads from reputable sources but with no cryptographic signature?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like