Cyber attacks from within the open-source community

Attackers and disgruntled developers poison software repositories.
21 June 2022

One source, many infections. Or protests. Source: Shutterstock

The 2021 State of the Software Supply Chain, the 6th Annual Report on Global Open Source Software Development is an analysis of developer trends based on a survey of over 30,000 software developers from 160 countries, produced by Sonatype.

A key finding from the report is a 430% growth in next-generation cyber-attacks that actively target open source software projects. The attacks noted over the last twelve months are new in that they no longer manifest as passive exploitations of known weaknesses, but as aggressors, actively implanting malware into open source projects. That means the world’s open source community must distinguish between legacy supply chain exploits and next-generation supply chain attacks.

Open-source security

Over the last seven years, Sonatype has analyzed the patterns and practices associated with Java components downloaded from the Central Repository, finding that in 2019, 10.4% of the billions of downloads had at least one known vulnerability. One in ten OSS downloads are vulnerable.

As issues like the war in Ukraine have risen on the agenda of many in the tech community, the open source community has faced protest-as-code in a form of social activism. The report suggests locally hosting any components needed by developers will help mitigate any potential protest or activist actions.

The wisdom of this practice can be seen in the link between successful outcomes for High Performers (see below) and the practice of keeping a centralized record of applications, their dependencies, and the associated development teams.

Given the increase in application breaches, it is no surprise that standards bodies and governments are beginning to implement new standards to secure software supply chains: in America, the Open Chain Specification, version 2.0 is being implemented with the objective of providing a benchmark to build trust between organizations that exchange software solutions consisting of open source software.

In the United Kingdom, the National Cyber Security Centre has released new guidance, and provided eight questions to help development teams evaluate their OSS components and reduce security risk.

The ultimate finding of the report is that productivity does not have to come at the cost of reduced security. The full report can be downloaded here.

Other findings in the report are as follows:

Popular languages: JavaScript usage among developers shows a significant increase, picking up 5m users from its Q1 2020 level of 17.5m, to over 22m by Q2 of 2022.

According to the report, Python remains the second most widely used programming language, with 15.7M users. That’s no surprise, since 70% of data science and machine learning experts use Python for their projects. The fastest growing languages are Rust and Kotlin, their usage tripling and doubling respectively between Q1 2020 and Q1 2022. Meanwhile stalwarts like C, C++ and PHP have largely retained their user bases.

Developer types: The report further evaluates developer personalities with regards their working personas. In summary,

  • 52% of developers class themselves as balanced, or all-rounders
  • 8% of developers are particularly intellectually curious personality types
  • 5% of developers are especially responsible and cooperative
  • 5% of developers are very much achievement-driven and stable
  • And 2% of developers term themselves introverted

Low-code/No-code: The advent of low-code/no-code tools has had an effect on the low-complexity end of the software industry. More experienced developers don’t tend to use these tools, with only 46% of professionals using them, and when they do make use of them, they account for less than a quarter of the professionals’ development work.

Group mentalities: Cluster analysis of a survey of open source management practices identified four clusters, labelled as High Performers, Low Performers, Security First, and Productivity First. These groups all had markedly different levels of performance and patterns of practice. Almost all factors were statistically different in each cluster.

  • High Performers: displayed high productivity and great risk management outcomes
  • Low Performers: showed low productivity and poor risk management outcomes
  • Security First: had low productivity, but great risk management outcomes
  • Productivity First: recorded high productivity, but poor risk management outcomes

Crucially, High Performer results were achieved through a combination of culture, development practices, policy enforcement, automation, and integrations applied across the development lifecycle. High performance enterprise development teams showed a 26x faster detection and remediation of open source vulnerabilities.