A long-touted advantage of open source software is that it has the potential to be as secure as or more secure than proprietary code because it is open to independent inspection. The idea is that many eyes lead to few mistakes. In practice, however, this protection has limitations precisely because there are often not many eyes available. However, the issue of sabotage strikes at the heart of the premise of open source as a decentralized, non-federated space.
“There’s nothing really in place, systemically, to prevent insider sabotage from happening more often,” says Dan Lorenz, an open-source software supply chain researcher and founder of security firm ChainGuard. “Projects build reputations over time, and people, often pseudonymous, come to trust each other’s digital identities because of the work they’ve done. There is no global list of approvers and each project has a different culture about how you become an approver” or a developer who is authorized to approve and publish code changes.
There is no way to completely eliminate the threat of a supporting open source project going rogue, either for personal reasons or due to criminal or government influence. But so-called “insider threats” cannot be completely eliminated in private companies either. The open source community and big influencers like Github are increasingly looking to automated code scanning tools to pay more attention (if digital) to even the most esoteric projects and catch more bugs or potentially suspicious changes before they go live or soon after.
Casting such a wide net is especially important because of another open source security problem, where bad actors infiltrate projects or convince burned-out maintainers to hand over the reins and then have full control to deploy whatever they want. Automated scanners have limitations, however, and Lorenz notes that they are often better at picking up accidental bugs than those intended for deliberate sabotage.
Longtime open source security researchers and practitioners, however, are adamant that another vital defense exists out in the open: a massive expansion of the support and resources that maintainers can seek in general, and especially if their fun hobby project ends up becoming a critical link in the global world software supply chain.
“It’s easy to take from open source, but giving back is ad hoc or best-effort, and most beneficiaries may not even realize they’re a beneficiary and don’t contribute back in any meaningful way,” said Eric Brewer, vice president of Google Cloud infrastructure.