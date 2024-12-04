New research has shown that despite widespread use of free and open source software libraries in enterprise environments, security continues to be a significant problem.

The Linux Foundation, the Open Source Security Foundation (OpenSSF) and Harvard University published a new report Wednesday that examined security challenges related to the growing use of free and open source software (FOSS) libraries. The report, titled "Census III of Free and Open Source Software," includes data from more than 12 million observations of FOSS libraries used in production applications at more than 10,000 companies, including public and private sectors.

Census III marks the third report in a series of FOSS investigations from the three organizations. The report was authored by Frank Nagle, assistant professor at Harvard Business School; Kate Powell, program manager at the Laboratory for Innovation Science at Harvard; Richie Zitomer, predoctoral fellow at Harvard Business School; and David A. Wheeler, director of open source supply chain security at the Linux Foundation and staff member at OpenSSF.

The report detailed a plethora of security challenges related to developer accounts, legacy technology and an overall lack of support for FOSS packages. The authors stated that the report aims to highlight the most widely used FOSS packages at the application library level and the challenges they face.

The authors called for changes to be made if security is to keep pace with the increasing use of FOSS libraries at the enterprise level.

"Given the distributed nature of FOSS, only through data sharing, coordination, and investment will the value of this critical component of the digital economy be preserved for generations to come," the authors wrote in the report.

The Census III report highlighted many security concerns related to individual developer accounts. The authors observed that some accounts did not have MFA enabled, "leaving individual computing environments more vulnerable to attack." Additionally, the report found that in a majority of cases the developer accounts lacked important permission and publishing controls compared with organizational accounts, which makes it easier for attackers to change the code once the accounts are compromised.

"These potential risks are not hypothetical; developer account takeovers have begun occurring with increasing frequency, both in forges such as GitHub and in repositories such as the npm repository and PyPI," the report said.

The report also warned that "backdooring" is one popular method attackers use to compromise accounts. As the name suggests, the technique allows attackers to create a backdoor to organizations by inserting malicious code into packages that they can access once the host package is installed.

For example, earlier this year Checkmarx observed a threat campaign where attackers took over influential GitHub accounts and made commits to popular GitHub organizations, including Top.gg. Additionally, in August a backdoor was discovered in the open source liblzma package for XZ, a popular compression library used in many Linux distributions. Microsoft developer Andres Freund traced the backdoor to an authorized XZ maintainer known as Jia Tan, who intentionally added the malicious code to the library.

The authors noted that cases like the XZ backdoor, in which developers intentionally subvert the security of software, are an "even more serious problem" despite being rare. "Thus, in the contexts of both security and general risk management, it is critical that developer accounts be understood and strongly protected," the report said.