Because of this growing complexity, the risks presented by the prevalence of open-source software are growing. Gone are the days when attackers needed you to visit a sketchy website to deliver a malicious payload; now, they need to place it in the software that one of your apps depends on. According to an Atlantic Council report, documented attacks on open-source software increase yearly.
There is also a large attack surface of unintentional vulnerabilities for attackers to exploit. The 2017 Equifax hack, in which attackers believed to be affiliated with the Chinese military stole hundreds of thousands of US citizens’ personal data, was one such attack that took advantage of a security hole left unpatched by negligent code maintainers. Many fear that the 2021 Log4shell vulnerability, which arguably prompted the introduction of the bills such as the Critical Technology Security Centers Act, will lead to the next Equifax-scale hack.
The software supply chain’s reliance on other people’s code also means that a small oversight by one person can affect millions of people. For example, a popular software package called event-stream was modified by attackers to steal Bitcoin in 2018. Though it averaged 2 million downloads a week, only one person maintained it. Thankfully, in this case, somebody spotted an abnormality and raised the alarm. Given the size and scale of the supply chain and hackers’ sophistication, should we assume that society’s good luck streak will continue?
Read Entire Article here: https://www.infosecurity-magazine.com/opinions/open-source-software-pockets-help/
