“Changes to code under the control of these individual developer accounts are significantly easier to make, and to make without detection”
Of the world’s top 10 most-used open source packages, seven are hosted on individual developer accounts, the Linux Foundation’s Core Infrastructure Initiative has warned, saying this could pose a security risk to code at the heart of the global economy.
The finding came as the CII delivered the first major census of the free and open source software (FOSS) components that are most widely used in production applications.
The dominance of individual developer’s GitHub and other code repository accounts was highlighted in the report as potentially worrying for security and stability.
Such reliance on individual accounts comes despite the Foundation and its partners having been able to identify the company affiliation of 75 percent of the top committers to the projects listed.
The Linux Foundation noted: “The consequences of such heavy reliance upon individual developer accounts must not be discounted.
“For legal, bureaucratic, and security reasons, individual developer accounts have fewer protections associated with them than organizational accounts in a majority of cases.
“While these individual accounts can employ measures like multi-factor authentication (MFA), they may not always do so and individual computing environments may be more vulnerable to attack. These accounts do not have the same granularity of permissioning and other publishing controls that organizational accounts do.”
It added: “This means that changes to code under the control of these individual developer accounts are significantly easier to make, and to make without detection.”
By running a query on GitHub data, the Foundation was able to determine the top three committers for each of the FOSS projects and identify company affiliations for the majority—over 75 percent—of the top committers.
(Needless to say, this does not mean that contributions were made as a representative of that company; many developers also contribute in their own time to projects with which they may or may not also have a corporate affiliation).
The report comes amid growing concerns in some quarters about the “back-dooring” of open source software code bases, following several recent such attacks.
The census also points to the risk of developers “deleting” their developer accounts. This happened in 2016 with a package called “left-pad,” with consequences that stakeholders described as “breaking” the Internet for several hours: “Similarly, in 2019, a developer who disagreed with a business decision undertaken by Chef Software removed their code from the Chef repository with similar downstream impacts.”
How does your business mitigate the risk of security flaws in open source components? We’d be keen to hear from you.