Managing open source in the supply chain

John Trest at the VIPRE Security Group explains why open-source software can be a massive supply chain risk

 

In a recent and unprecedented event within the open-source community – labelled a prank by the software author – the npm package registry experienced a significant disruption due to the publication of a package named "everything". This package, along with over 3,000 sub-packages, was designed to depend on every other public npm package, creating a vast web of dependencies.

 

This situation not only highlighted the fragility of the npm ecosystem but also underscored the critical need to further raise awareness about the risks associated with utilising open-source software.

 

The "everything" package, initially perceived as a harmless prank, inadvertently showcased the potential for a single package to impact the entire npm registry significantly. By creating a scenario where developers were unable to unpublish their packages due to the extensive dependency chain established by "everything," the npm community faced a unique form of disruption.

 

This incident serves as a stark reminder of the inherent risks associated with open-source software dependencies and the importance of understanding and managing these risks effectively.

 

Lessons learned about “everything”

While this “prank” was surely disruptive, there are valuable lessons to be learned and applied as we move forward with software development.

 

First, dependency management from a security engineering perspective is crucial. “Everyone” underscores the importance of diligent dependency management and the need for tools and practices that can help identify and mitigate potential risks associated with third-party packages.

 

Second, “everything” serves as a reminder to review and revise our policies and procedures around open source. The ability of a single package to create such a widespread impact highlights the need for robust policies and procedures within package ecosystems to prevent similar incidents in the future.

 

Last, and certainly not least, the ecosystem and community around open-source software is bearing greater responsibility when it comes to the security of the software supply chain. Such communities thrive on collaboration and shared responsibility.

 

This event warns of the impact individual actions can have on the broader community and the importance of considering the collective well-being when contributing to open-source projects.

 

Four strategies for reducing risk

Having reflected on the security implications and subsequent lessons learned from “everything”, what steps can we take from here on out to help reduce the risks pertaining to the use of open-source software in the enterprise?

 

While adopting such change is not something that happens overnight, there are four  strategies that can be adopted relatively quickly to begin making a measurable impact on the security of your software supply chain:

 

1. Implement rigorous dependency scanning: Organisations should adopt Software Composition Analysis tools to help scan dependencies for known vulnerabilities and automatically enforce policies to prevent the introduction of high-risk software components. Integrate such scanning into your pipelines to help prevent the introduction of such components at scale.

 

2. Educate and train developers: Providing developers with training on secure coding practices, including the management of open-source dependencies, is crucial in mitigating risks. Understanding the potential security implications of third-party packages can help developers make informed decisions. Ultimately, developers will need to integrate and adopt many of the strategies you seek to employ - let’s make sure they have the foundational understanding to make it a success.

 

3. Contribute to open-source security: Engaging with the open-source community to contribute to the security of projects can help improve the overall health of the ecosystem. Reporting vulnerabilities, contributing patches, and supporting secure development practices benefit all users of open-source software. If you haven’t done so already, consider donating to those projects you depend on most. Many in the open-source community are developing this software in their spare time.

 

4. Establish a robust open-source governance framework: Organisations should develop and enforce a governance framework that outlines clear policies for the use of open-source software. This framework should include criteria for selecting and approving open-source components, processes for regular updates and patch management, and guidelines for contributing back to the open-source community. By having a structured approach to open-source usage, organisations can ensure that they benefit from the agility and innovation that open-source offers while minimising potential security and compliance risks.

 

Application security training

Let’s dive into that second strategy a bit more: “Educate and Train Developers”. The "everything" npm incident highlights the critical role of application security training in preparing developers and organisations to navigate the complexities of open-source software.

 

By equipping teams with the knowledge and skills to assess, manage, and mitigate the risks associated with third-party dependencies, organisations can enhance their security posture and contribute to a more secure open-source ecosystem.

 

Application security training courses are designed to address such challenges head-on, offering comprehensive training modules that cover secure coding practices, dependency management, and open-source security strategies.

 

By investing in security training, organisations empower their developers to make informed decisions, reduce security risks, and contribute positively to the open-source community.

 

The "everything" npm package incident serves as a valuable learning opportunity for the open-source community and the tech industry at large. By adopting strategic measures to manage open-source dependencies and investing in application security training, organisations can navigate the open-source landscape more safely and effectively.

 

---

 

John Trest is Chief Learning Officer at the VIPRE Security Group

 

Main image courtesy of iStockPhoto.com