The market is now firmly committed to emphasising open source software vulnerabilities and wants to take supply chain security for businesses more seriously. On Thursday, Legit Security published a research on software supply chain attack vulnerabilities in Apache and Google open source projects, just two days after Google unveiled the Open Source Software Vulnerability Rewards Program (OSS VRP), which gives bug rewards for open-source vulnerabilities. According to Legit Security, they didn’t delay their news release to coincide with Google’s earlier this week announcement of a bug bounty programme.
“Google was responsive and fixed in a day,” said Derick Townsend, a vice president at Legit Security. “We were probably part of their beta on this, but as far as the timing of the two announcements, it was purely coincidental.”
Researchers from Legit Security claimed to have discovered a brand-new CI/CD flaw termed “GitHub Environment Injection” that enables attackers to take over a project’s GitHub Actions CI/CD pipeline. According to the researchers, any GitHub user may take advantage of this weakness to alter the project’s source code, steal information, move laterally and strike inside the company, and ultimately launch a supply chain attack akin to SolarWinds.
According to Legit Security, the Google Firebase project and an extremely well-liked Apache integration framework project both contained the vulnerability. Following an initial disclosure by Legit Security, the vulnerabilities were acknowledged and patched by both Google and Apache.
According to Philip Odence, general manager of the Black Duck Audit Business at Synopsys Software Integrity Group, Legit Security appears to have followed an ethical disclosure approach, making sure that patches were available before the vulnerabilities were made public.
According to Ryan Kennedy, a cybersecurity consultant at nVisium, the ability of numerous engineers to analyse the code of open source software results in many advantages. Kennedy said that Google had urged security researchers from the bug bounty community to examine OSS by announcing its new OSS VRP bug bounty programme.
“Google is leveraging their experience with running bug bounty programs to help secure the greater open-source ecosystem, which will hopefully incentivize further security research into OSS,” Kennedy said. “Overall, this is a positive for OSS and supply security by providing additional incentives to perform good-faith security research in these areas.”
According to Casey Bisson, BluBracket’s head of product and developer enablement, the world economy now depends heavily on open source, and in some circumstances, this has real-world safety concerns. The long-term transition away from custom-building things to using off-the-shelf components, according to Bisson, is the real trend we’re seeing.
“Today, that means a combination of cloud services and open-source software,” Bisson explained. “That trend has been the foundation of the incredible growth in software we’ve seen, and the scale of that growth is what’s behind the supply chain complexity we’re seeing now. We do see some banner vulnerabilities in open source, but the shift to open source is a great boon for improving security. All software has some bugs and security vulnerabilities, but the additional eyes on open source help identify and fix those risks more quickly and effectively than in closed source solutions.”