Ben Slater, Chief Product Officer at Instaclustr, writes about how the potential of Open Source Libraries must be balanced with the growing risk of library jacking by hackers.
For all the billions of dollars spent on software by companies, the modern enterprise runs far more on open source than proprietary code.
Today, it would be virtually impossible to survive without using open source. It’s present in around 96% of applications and research has found that around 79% of all code in use comes from Open Source Libraries (OSLs).
These libraries have been a boon to developers, providing invaluable code for all sorts of applications, especially as the pressure to reduce time between updates has increased.
As a result, organisations generally grant OSLs the same level of privilege as internal custom code. This level of privilege means that developers, especially younger ones who have grown up using OSLs, often don’t think twice about taking code from OSLs.
However, as the power of OSLs has increased, hackers have taken notice and are increasingly looking to sue them as an attack vector to infiltrate unsuspecting enterprises through a technique known as ‘library jacking’.
The most dangerous library in the world
The technique behind library jacking is very simple. Hackers create malicious code, often disguised as something useful which is likely to get picked up by developers, and plant it into popular OSLs.
Then all they have to do is sit back and wait as developers essentially hack themselves by picking up the piece of code and adding it into their proprietary software.
Crucially with library jacking, the malicious code is then passed down the software supply chain to other companies who use the software.
This means that hackers not only have access to the company who has created said software, but all those who purchase and use it. Library jacking can be used for all sorts of purposes, exposing enterprises to a host of threats including the exfiltration of sensitive data, ransomware attacks, and many more.
The potential for library jacking attacks has been around for a long time. However, it’s only been in recent years that hackers have really started to take advantage of the OSLs lack of defences.
At the time, event-stream had over 2 million downloads, showing how powerful these OSL attacks can be. And research has found a 55 per cent spike in such attacks over recent years – a figure that likely down to the poor security protocols of open source libraries.
Many OSLs, by their very nature, aren’t generally run as businesses. They’re things that are tended to as a hobby or a side project.
The problem is that this means they’re incredibly vulnerable to attack or takeover. In one instance, the original owner of a library simply handed it off to a stranger because he didn’t have the capacity to continue running it in his spare time.
Therefore, for hackers the risk-reward equation is simple – hijacking an OSL often requires minimal effort for huge downstream remuneration.
Understanding the threat
The problem for businesses is that, given how foundational OSLs are to modern software development, prohibiting use is not an option.
Not only would it radically slow down DevOps teams by forcing them to develop all code internally, it would involve letting go of the mountains of useful, non-malicious code that makes up the majority of OSL content.
The solution is to adopt a nuanced approach which involves having the open source expertise available to take advantage of the huge benefits offered by OSLs while simultaneously making sure that the software supply chain is secure.
On top of this, enterprises need to know that when vulnerabilities are discovered, they can quickly understand the ramifications for business operations – especially if they impact business critical functions like customer databases – and roll out fixes to mitigate the problem.
For businesses, the cyber security landscape is constantly evolving as hackers find new avenues of attack. In recent years, we’ve seen a host of new attacks, such as ransomware rising up the agenda and library jacking looks set to be one of the biggest dangers over the next few years.
In order to protect themselves, all businesses need to make sure they’re in a position to reap the benefits of open source while not exposing themselves to unnecessary risks.