How to make open source software more secure

Date:

Share post:


Earlier this year, a Microsoft developer realized that someone had inserted a backdoor into the code of open source utility XZ Utils, which is used in virtually all Linux operating systems. 

The operation had started two years earlier when that someone, a person nicknamed JiaT75, started contributing to the XZ Utils repository on GitHub. A cybersecurity expert called this attack a “nightmare scenario” and “the best executed supply chain attack we’ve seen.” 

The attack, which followed other well-known cybersecurity incidents involving open source software like Heartbleed, Shellshock, and Log4j, was another stark reminder that open source software, given how widespread it is, can pose significant security risks.  

At TechCrunch Disrupt 2024, Bogomil Balkansky, partner at Sequoia Capital; Aeva Black, the section chief for open source security at the U.S. Cybersecurity and Infrastructure Security Agency; and Luis Villa, the co-founder of Tidelift, sat down to discuss the challenges of securing open source software. 

“I like to say open source is not free like pizza. It’s free like a puppy. You take it home and don’t feed it, it’s going to eat your furniture, your shoes,” said Black. 

Balkansky called open source software the “lifeblood of software,” which makes it “foundational and baked into everything.” The problem, Balkansky added, is that “the business model for open source is still very much work in progress.”

So, who should take care of it and pay to secure it?

Villa and his team at Tidelift propose a model where the company pays open source maintainers to take care of their code and partners to fix vulnerabilities. 

CISA, Black explained, is now getting involved, launching initiatives to tell businesses what are the best — and worst — security practices when it comes to deploying open source software. “We’re here to participate as a member of the open source community and work with them,” said Black, who thinks open source software is a public good.

In terms of how to go forward, Balkansky said that “the solution to open source security, at least to some degree, also needs to be open source,” and warned that “there are no silver bullets.” 

Villa said that there’s a need for “multiple approaches” and “defense in depth,” which means there’s a need for several layers of security to protect the open source ecosystem. 

And Black said that software builders need to know which open source software is in their products. “We need better engagement to enable everybody to do that with less effort and less burden on individual volunteer maintainers and nonprofits,” Black said.



Source link

Lisa Holden
Lisa Holden
Lisa Holden is a news writer for LinkDaddy News. She writes health, sport, tech, and more. Some of her favorite topics include the latest trends in fitness and wellness, the best ways to use technology to improve your life, and the latest developments in medical research.

Recent posts

Related articles

Microsoft and a16z set aside differences, join hands in plea against AI regulation

Two of the biggest forces in two deeply intertwined tech ecosystems — large incumbents and startups —...

SpaceX wants to test refueling Starships in space early next year

SpaceX will attempt to transfer propellant from one orbiting Starship to another as early as next March,...

Perplexity launches an elections tracker

Perplexity, the AI-powered search engine, might hallucinate from time to time. But the company wants to show...

When to sell your company? Look for these signals

Part of the mythology of Silicon Valley is the committed founder driving the company to a blockbuster...

The Chainsmokers want to bring a different kind of value add to B2B companies

The potential value a celebrity investor can bring to a consumer company, beyond just writing a check,...

New funding rounds confirm that money attracts money

Welcome to Startups Weekly — your weekly recap of everything you can’t miss from the world of...

ChatGPT: Everything you need to know about the AI-powered chatbot

ChatGPT, OpenAI’s text-generating AI chatbot, has taken the world by storm since its launch in November 2022....

The biggest underestimated security threat of today? Advanced persistent teenagers

If you ask some of the top cybersecurity leaders in the field what’s on their worry list,...