[ad_1]
Earlier this year, a Microsoft developer realized that someone had done this I entered the back door In the code of the open source utility XZ Utils, which is used in almost all Linux operating systems.
The process started two years ago when a guy named JiaT75 started contributing to the XZ Utils repository on GitHub. One cybersecurity expert described this attack as a “nightmare scenario” and “the best supply chain attack ever carried out.”
The attack, which followed other well-known cybersecurity incidents involving open source software such as Heartbleed, Shellshock, and Log4j, was another stark reminder that open source software, given its reach, can pose significant security risks.
And at TechCrunch Disrupt 2024, Bogomil Balkansky, Partner at Sequoia Capital; Ava Black, Chief of Open Source Security at the US Cybersecurity and Infrastructure Security Agency; Tidelift co-founder Luis Villa sat down to discuss the challenges of securing open source software.
“I would say open source isn’t free like pizza. It’s free like a puppy. If you take it home and don’t feed it, it’s going to eat your furniture and your shoes,” Black said.
Balkanski described open source software as “the lifeblood of software,” making it “essential and embedded in everything.” The problem, Balkanski added, is that “the open source business model is still a work in progress.”
So who should take care of it and pay for its insurance?
Villa and his team at Tidelift propose a model in which the company pays open source maintainers to sponsor their code and partners to fix vulnerabilities.
Black, CISA, explained, Get involved nowand launch initiatives to inform companies of the best – And worse — Security practices when it comes to publishing open source software. “We’re here to participate as a member of the open source community and work with them,” said Black, who believes open source software is a public good.
As for how to move forward, Balkansky said that “the open source security solution, at least to some extent, also needs to be open source,” and warned that “there are no silver bullets.”
Villa said there is a need for “multiple approaches” and “defense in depth,” meaning several layers of security are needed to protect the open source ecosystem.
Black said software creators need to know what open source software is in their products. “We need better engagement to enable everyone to do this with less effort and less burden on individual supervisor volunteers and nonprofits,” Black said.
[ad_2]