The hidden risks of open-source software: A wake-up call for national security

The hidden risks of open-source software: A wake-up call for national security

Scott Aken, CEO, Axellio, says growing dependence on OSS introduces unique vulnerabilities – particularly for defense contractors and organizations tasked with safeguarding national security.

Open-source software (OSS) is foundational to our digital infrastructure. Yet, as with any widely used technology, its ubiquity and openness also make it a prime target for exploitation.

The growing dependence on OSS introduces unique vulnerabilities, particularly for defense contractors and organizations tasked with safeguarding national security.

While OSS offers cost efficiency and a robust development model, it also presents a glaring risk: the inclusion of software components developed by contributors in adversarial nations.

Recent research underscores the potential dangers. Areport by Fortress revealed that a significant percentage of OSS contributions for software products used to manage the US power grid originate from countries such as Russia and China. These nations, which have consistently demonstrated sophisticated cyber capabilities, raise legitimate concerns about the integrity and security of OSS code embedded in US systems.

OSS thrives on its global, collaborative nature. Developers worldwide contribute to improving software functionality and fixing bugs, creating an ever-evolving ecosystem. However, this interconnectedness is a double-edged sword. Software supply chains, composed of various OSS libraries, often lack robust scrutiny, opening the door to vulnerabilities that adversaries can find and exploit later.

The Log4j vulnerability, a critical flaw discovered in the widely used open-source logging library, serves as a stark example of how OSS can become a significant security liability. Nation-state actors, including Iran’s Phosphorus group and China’s Hafnium group, exploited this vulnerability to target critical systems worldwide. This incident underscores the inherent risks of relying on open-source components without sufficient scrutiny, particularly when those components are integrated into sensitive and mission-critical systems.

For defense contractors, the stakes are exceptionally high. The shift toward software-defined systems in defense applications – from supply chain management to advanced weaponry – has amplified the reliance on OSS.  This shift is driven by the need for cost-effective, scalable and adaptable solutions that can keep pace with rapidly evolving technological demands and operational requirements. Open-source software often provides a foundation of reusable components for COTS solutions, accelerating development timelines and enabling innovation. However, the same qualities that make OSS attractive – collaborative and open nature – also create vulnerabilities. The transparency and global contributions inherent to OSS can allow malicious actors to identify and exploit weaknesses in widely used software libraries, potentially compromising sensitive defense systems.

Consider the layered dependencies in modern software systems. A single application might incorporate dozens – or even hundreds – of OSS libraries, each with sub-dependences. This complexity makes it nearly impossible to verify the provenance and integrity of every line of code, especially when some components originate from developers in adversarial nations.

A recent example involved the Log4Shell vulnerability, as referenced earlier, discovered in the widely used Log4j library in 2021. Although the flaw wasn’t intentionally inserted, it underscored how a single vulnerability in an OSS library can cascade through countless systems, creating widespread disruption. For defense contractors, such risks are multiplied; an adversary exploiting OSS vulnerabilities could exfiltrate sensitive data, disrupt critical operations, or compromise the effectiveness of mission-critical systems.

The ramifications extend beyond immediate operations. For military systems, compromised software could undermine confidence in defense capabilities, potentially deterring allies or emboldening adversaries.

OSS’s strengths are also its greatest weaknesses. Unlike proprietary software, where the source code is tightly controlled, OSS is publicly available. While this openness fosters innovation, it also allows malicious actors to insert vulnerabilities or exploit existing ones.

Nation-state actors are particularly adept at exploiting OSS flaws. A notable example is the 2017 Equifax data breach, where attackers exploited a vulnerability in Apache Struts, an open-source web application framework, to gain unauthorized access to sensitive data of approximately 145 million Americans. 

In another example, Microsoft researchers have found that the North Korean group ZINC has been identified as “weaponizing a wide range of open-source software including PuTTY, KiTTY, TightVNC, Sumatra PDF Reader and muPDF/Subliminal Recording software installer” to attack unsuspecting organizations with malware after using those varieties of OSS.

The regulatory landscape is evolving to address these challenges. The Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) 2.0 framework emphasizes adherence to robust cybersecurity practices, with an increased industry focus on maintaining Software Bills of Materials (SBOMs) that document all open-source components and their origins. While not explicitly mandated under CMMC 2.0, SBOMs are increasingly recognized as essential for managing supply chain risk.

Additionally, Executive Order 14028 on Improving the Nation’s Cybersecurity mandates enhanced software supply chain security measures. Federal agencies are now required to obtain SBOMs from vendors of critical software, with specific provisions addressing the risks posed by open-source dependencies in these systems. These evolving requirements reflect a growing recognition that OSS security is fundamental to both defense contracting and national security.

A final consideration is the update process for OSS code.

Software vulnerabilities are often discovered that require updates.  If someone downloads OSS and builds it into their code, who goes back a few years later to see if that OSS has been updated?  According to Synopsis, the answer is quite often no one.

A Synopsis 2024 Open-Source Security and Risk Analysis Report found that 91% of codebases contain components that have had no new development in over two years and contained components that were 10 versions or more behind the most current version of the component. The findings didn’t get a whole lot better after 2 years as the study also found that 89% of codebases still contain OSS that is more than 4 years out of date. So, relying on other companies to do the security analysis and vetting of OSS for you might not be such a safe bet.

Mitigating the risks associated with OSS requires a multi-faceted approach. For organizations operating in national security, the following steps are crucial:

  1. Improved Transparency: Defense contractors and other critical organizations need greater visibility into their software supply chains. Tools that map software dependencies can identify components of questionable origin and highlight potential risks.
  2. Enhanced Governance: Establishing stricter guidelines for OSS usage in sensitive systems is essential. This includes conducting rigorous code reviews, implementing robust version controls, and mandating compliance with security standards.
  3. Collaborative Threat Intelligence: The defense sector must collaborate with government agencies, industry peers, and OSS communities to share threat intelligence. By identifying and mitigating vulnerabilities collectively, the industry can stay ahead of adversarial threats.
  4. Investment in Secure Development Practices: Organizations must prioritize secure coding practices, including regular penetration testing, automated vulnerability scans, and adherence to best practices for OSS integration.
  5. Adoption of Zero-Trust Architecture: Implementing a zero-trust model can limit the impact of potential OSS vulnerabilities. This approach treats every component as a potential threat, enforcing strict access controls and continuous monitoring.

Browse our latest issue

Intelligent CISO

View Magazine Archive