Service hotline:+86-510-86511823
CURRENT LOCATION: Home > IndustryIndustry

Is there any security risk in the supply chain of open source software?

发布时间:2018-06-14 16:22:37点击量:

Last year, there were some shocking attacks, which made the security of the open source software supply chain questionable. Thousands of computers were deliberately damaged by CCleaner, a free security software tool. In the same week, a group of hackers added deliberately damaged Python libraries to Python package index (pypi), Python's public package repository. These packages succeeded in attracting Python programmers working in enterprises, governments and military websites. These attacks occurred a few months after the infamous Equifax leak, which took advantage of the open source Java Web Framework Library. Since then, many organizations have increased their emphasis on security posture. The python software foundation quickly added a blacklist feature to pypi to prevent anyone from updating popular Python packages. In addition, GitHub began alerting project maintainers of known vulnerable libraries in rubygems for ruby and NPM for JavaScript, and plans to add alerts to Python later this year.


So, does this mean that open source software can be safely reused?


The answer is not entirely that in order to better protect themselves, enterprises need to understand the working principle of open source software supply chain. Almost all devices in our lives contain a complex system of embedded open source software and runtime library.


Open source software development anyone can create packages, anyone can use other packages. This hybrid sharing can improve everyone's work efficiency, and developers can borrow and improve others' work, thus reducing the amount of code that must be written separately.


Unfortunately, it is very difficult to understand the software uploaded by others. People may maliciously change the packets or libraries in the supply chain. In pypi, for example, attackers will use "typesizing" and upload a library named "bZIP" to imitate "bz2file". Many users who use the library temporarily don't know the difference. When they use the modified library, the package developers can see the use of these libraries. In another attack, someone simply submitted a new version of the existing standard library package with the same name but malicious content.


One of the reasons that complicates things is that widespread infection is often not the motivation of attackers. In the case of CCleaner, more than 100000 infected machines were just collateral damage, and the attackers initially targeted only about 18 companies. All they needed was a compromise package used by these companies.


The python foundation, GitHub and others have taken important steps to take these types of vulnerabilities, but businesses and the open source community can do more to stop them.


Open source software development anyone can create packages, anyone can use other packages. This hybrid sharing can improve everyone's work efficiency, and developers can borrow and improve others' work, thus reducing the amount of code that must be written separately.


Add:No. 1349, Xicheng Road, Qingyang, Jiangyin, Jiangsu, China.  Tel:+86-510-86511823  Mobile:+86-510-86511823
Copyright © JIANGTE POLYTRON TECHNOLOGIES INC.Powered by EyouCms